My ftp service runs on port 7001, and this port is allowed inbound on the access-list. In fact I can telnet to the ftp service from the outside to the statically mapped global address and interact with it on the control channel, so the address mapping works and the access-list works.
I have the fixup protocol statements also:
fixup protocol ftp 21
fixup protocol ftp 7001
The problem is when I type PASV, I get a response like the following:
port (192,168,12,46,165,75) <- meaning the protocol is returning to the client a private address, instead of rewriting that address to use the outside global address.
However, if I manually calculate a port number from the response, and telnet into this port using the global address, I get the download completed. So the security algorithm apparently is opening up the transient inbound port (though when I tried it I may have had all tcp ports opened to the host).
Also, my 'debug fixup tcp' doesn't seem to do anything - I have monitor debugging loggin on, term mon set, and debug fixup does nothing (even for the other fixup protocols).
Should the fixup protocol command be rewriting the text reply to the PASV ftp command?
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...