Re: Policy based routing

gregor.stariha · ‎02-04-2003

Hello everyone!

I want to use route map to route only ftp traffic over ADSL link. All other traffic must go over leased line.

Sample config:

interface FastEthernet0

ip address 1.1.1.1 255.255.255.0

ip nat inside

ip policy route-map ADSL-traffic

access-list 140 permit tcp 172.16.222.0 0.0.0.255 any eq ftp

access-list 140 permit tcp 172.16.222.0 0.0.0.255 any eq ftp-data

route-map ADSL-traffic permit 20

match ip address 140

set ip default next-hop a.b.c.d

So every ftp traffic should go over ADSL link. And it works if I use normal ftp session.

But If I want to download drivers from compaq or hp (and other) sites with IE or Opera browser, server ports are no longer ftp or ftp-data ports, but some random ports above 1024. I try to use passive ftp, established session in access list, but no luck!

Any suggestions? Thanks,

Grega

kevin-reynolds · ‎02-04-2003

That is the problem with FTP. The pix implements the ftp fixup protocol to deal with similar issues. Here is a brief explanation if you are not familiar with FTP. There are two modes of FTP, standard and passive.

In standard mode the client will initiate a command session with the FTP server on port 21. When files are to be transfered between the two, the server will initate a connection to the client. On this connection the server will have a source port of 20 and the client will have a non-standard port.

In passive mode, the client still initates a command session on port 21. But when it comes time to transfer data, the client will initiate a connection to the server, from one non-standard port to another non-standard.

In passive mode it is near impossible to accomplish your goal. The only thing I can say is always use standard mode FTP. But I have seen some FTP servers which will only use passive. Hope this helps.

Kevin