Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

NAT: Passive FTP with non standard port

Hi all,

I have an ASA 5515 and four FTP server. Currently I have everything configured properly for three of the server that I need. For the fourth I have two possibilities:

1) use the IP configured for the external interface.

2) use one of the ip used for other FTP but uses another port.

Is possible option 1? I did not succeed.

I was then trying to use this configuration:

<public ip>: 2121 -> <internal ip> 21

<public ip>: 2120 -> <internal ip> 20

The problem is that I can just log in but not access to the folders.

I changed the service policy as well but still not working:

class-map inspection_default

match default-inspection-traffic

class-map FTP-2121

match port tcp range 2120 2121

!

!

policy-map global_policy

class inspection_default

  inspect ftp

  inspect esmtp

  inspect h323 h225

  inspect h323 ras

  inspect http

  inspect netbios

  inspect pptp

  inspect rsh

  inspect rtsp

  inspect sip 

  inspect skinny 

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect xdmcp

class FTP-2121

  inspect ftp

Here is the output of sh service-policy:

Global policy:

  Service-policy: global_policy

    Class-map: inspection_default

      Inspect: ftp, packet 186535, lock fail 0, drop 188, reset-drop 0

      Inspect: esmtp _default_esmtp_map, packet 6539637, lock fail 0, drop 0, reset-drop 0

      Inspect: h323 h225 _default_h323_map, packet 0, lock fail 0, drop 0, reset-drop 0

               tcp-proxy: bytes in buffer 0, bytes dropped 0

      Inspect: h323 ras _default_h323_map, packet 0, lock fail 0, drop 0, reset-drop 0

      Inspect: http, packet 1581437285, lock fail 0, drop 0, reset-drop 0

      Inspect: netbios, packet 105420, lock fail 0, drop 0, reset-drop 0

      Inspect: pptp, packet 0, lock fail 0, drop 0, reset-drop 0

      Inspect: rsh, packet 7, lock fail 0, drop 0, reset-drop 0

      Inspect: rtsp, packet 3857828, lock fail 0, drop 0, reset-drop 0

               tcp-proxy: bytes in buffer 0, bytes dropped 0

      Inspect: sip , packet 3, lock fail 0, drop 0, reset-drop 0

               tcp-proxy: bytes in buffer 0, bytes dropped 0

      Inspect: skinny , packet 0, lock fail 0, drop 0, reset-drop 0

               tcp-proxy: bytes in buffer 0, bytes dropped 0

      Inspect: sqlnet, packet 0, lock fail 0, drop 0, reset-drop 0

      Inspect: sunrpc, packet 0, lock fail 0, drop 0, reset-drop 0

               tcp-proxy: bytes in buffer 0, bytes dropped 0

      Inspect: tftp, packet 0, lock fail 0, drop 0, reset-drop 0

      Inspect: xdmcp, packet 0, lock fail 0, drop 0, reset-drop 0

    Class-map: FTP-2121

      Inspect: ftp, packet 0, lock fail 0, drop 0, reset-drop 0

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions

NAT: Passive FTP with non standard port

Hi bro

If you were you, to achieve this requirement, I wouldn't use MPF. To much work, for a simple requirement. What I would do is as shown below;

static (inside,outside) tcp 202.188.1.14 2120 10.10.10.14 20 netmask 255.255.255.255

static (inside,outside) tcp 202.188.1.14 2121 10.10.10.14 21 netmask 255.255.255.255

access-list acl_outside permit tcp any host 202.188.1.14 range 20 21

access-group acl_outside in interface outside

Note: Please remove all the MPF commands that you've inserted, back to default.

Warm regards, Ramraj Sivagnanam Sivajanam Technical Specialist/Service Delivery Manager – Managed Service Department
2 REPLIES

NAT: Passive FTP with non standard port

Hi bro

If you were you, to achieve this requirement, I wouldn't use MPF. To much work, for a simple requirement. What I would do is as shown below;

static (inside,outside) tcp 202.188.1.14 2120 10.10.10.14 20 netmask 255.255.255.255

static (inside,outside) tcp 202.188.1.14 2121 10.10.10.14 21 netmask 255.255.255.255

access-list acl_outside permit tcp any host 202.188.1.14 range 20 21

access-group acl_outside in interface outside

Note: Please remove all the MPF commands that you've inserted, back to default.

Warm regards, Ramraj Sivagnanam Sivajanam Technical Specialist/Service Delivery Manager – Managed Service Department

Re: NAT: Passive FTP with non standard port

It works!

The problem was the test that I did: there are restrictions on the use of ftp client and when I tried I could not make the list of folders. Changing client works!

Thanks!

1184
Views
0
Helpful
2
Replies