Pix firmware 7.2.1, trying to run ftp on a nonstandard port(8021), appears that the inspection engine is causing issues. I have delted my default inspection policy, created a new one for ftp on port 8021, i can connect but never get the data channels to open, am I mising something with creating a new inpection policy? It does not work in either active or passive mode, and I do have the data channel port open, but never see a hit on that...
I Have the same problem with the NAtting FTP server using non standerd port 990 and it connects to the FTP client using the global addresses but never open the data channels b/c it use the local address even we tried to permit for the local IP addresses but the router keep denied them, what is the proper configuration for this? ...
thank you for asking, I did not try to use fixup but I found the problem when using FTP over SSL with ports 990 and 989, that will encrypt the control connection in the packet then when using NAT with FTPS (FTP over SSL) then the router will never read the global IP address because it encrypted , which we test the FTP server without nating and it has sccessfully connected to the natted FTP clients with no issues but when we put nat then the connections drop , now we need to cnfigure the ftp server to use the global ip address instead the private address in the payload of the packets, do you have an idea to achieve this?
When you send traffic from the FTP client it hits the router and is overloaded, the traffic goes through the network to the router at the server side and will see it from the overload(global) IP.
Question, how is the NAT set-up?
Can you provide that set-up?
I am not sure how to set this up the way you want so the client will see traffic from a different IP other than the global? The remote end do they have an ACL set-up? If they do then I would have them open the ACL for the network you are coming from rather than the NAT host.
access-list FTP-Server permit tcp host 10.1.1.1 any eq
So communication back from the client will use the public, but traffic from the server will use the global. The only way for the distant end to allow traffic is to have the acl set-up with the global in it.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :