We have FTP servers on the inside and DMZ of our 515E running 6.2(3), with static routing through the firewall in every direction. We observe regular failures accessing the servers from both outside and inside. The faults concern the data transfer, usually time-outs but sometimes can't build data connection (425).
We use the PORT flavour of the protocol, and a variety of clients. The servers are ProFtpd for Linux.
Sorry about the delay, but it's taken some time to get meaningful logging. I've got snips from a PIX log and two TCPDUMP's, one from each side of the PIX. The file is largish, so I'm E-mailing it to you directly.
'server' is on the DMZ and 'client' is inside.
As you will see, the first FIN packet from the client fails to make it through the PIX, in the case of the 8th transfer in this batch. This is typical behaviour.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...