thank you for asking, I did not try to use fixup but I found the problem when using FTP over SSL with ports 990 and 989, that will encrypt the control connection in the packet then when using NAT with FTPS (FTP over SSL) then the router will never read the global IP address because it encrypted , which we test the FTP server without nating and it has sccessfully connected to the natted FTP clients with no issues but when we put nat then the connections drop , now we need to cnfigure the ftp server to use the global ip address instead the private address in the payload of the packets, do you have an idea to achieve this?

I think I need some help understanding what you are doing.

host --- vpn --- host

Can you give me a general overview of the topology you are in so I can understand the set-up a little better?

I don't have VPN tunnel

FTPserver--router1811--MPLS--router--FTPclient

that is my topology and because the ftp over ssl is encrypt the packets so the site does not want to use VPN.

wow, sorry I missed that there.

right.

I think I understand correctly now.

When you send traffic from the FTP client it hits the router and is overloaded, the traffic goes through the network to the router at the server side and will see it from the overload(global) IP.

Question, how is the NAT set-up?

Can you provide that set-up?

I am not sure how to set this up the way you want so the client will see traffic from a different IP other than the global? The remote end do they have an ACL set-up? If they do then I would have them open the ACL for the network you are coming from rather than the NAT host.

For example:

static 63.163.18.234 255.255.255.0 access-list FTP-Server

access-list FTP-Server permit tcp host 10.1.1.1 any eq

So communication back from the client will use the public, but traffic from the server will use the global. The only way for the distant end to allow traffic is to have the acl set-up with the global in it.

i think...maybe...i hope!