[c-nsp] passive ftp static nat

Tolstykh, Andrew ATolstykh at integrysgroup.com
Tue Apr 14 10:31:57 EDT 2009 

Dan,

In addition to the outbound CBAC inspection map you also need to create
another "ip inspect cbac_in" map (add ftp/data app inspection) and apply
it in the inbound direction on SVI VL800.

Andrew Tolstykh
Senior Network Analyst
Integrys Business Support, LLC
atolstykh at integrysgroup.com
(312) 240-3652


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Dan Letkeman
Sent: Friday, April 10, 2009 10:30 AM
To: cisco-nsp
Subject: [c-nsp] passive ftp static nat

Hello,

I'm having trouble logging into our ftp server from an external
source.  It works when you set the client to active mode, but passive
mode always hangs.

2821, IOS Firewall

Relevant config:

ip inspect name SDM_LOW ftp

interface GigabitEthernet0/0
 ip address 10.10.10.1 255.255.255.252
 ip nat inside
!
!
interface FastEthernet0/0/3
 description Internet
 switchport access vlan 800
 bandwidth 10000
 no cdp enable
!
!
interface Vlan800
 description Internet
 bandwidth 10000
 ip address 64.x.x.1 255.255.255.224
 ip access-group firewall in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat outside
 ip inspect SDM_LOW out
 ip virtual-reassembly
 no mop enabled
!
!
ip nat pool 152 64.x.x.1 64.x.x.1 netmask 255.255.255.224

ip nat inside source list internet-152 pool 152 overload

ip nat inside source static tcp 172.16.0.24 21 64.x.x.1 21 extendable
ip nat inside source static tcp 172.16.0.24 80 64.x.x.1 80 extendable
!
ip access-list extended firewall
 permit tcp any host 64.x.x.1 eq ftp
 deny   ip any any log
!
ip access-list extended internet-152
  permit tcp host 172.16.0.24 any



I have tried adding:  "permit tcp any host 64.x.x.1 gt 1024
established"  to the firewall acl, but it still does not seem to
connect from a passive ftp client.

Dan.
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list