Sign in with
Sign up | Sign in
Your question

How do I set up Cisco 1600 nat port range for pasv ftp?

Last response: in Networking
Share
Anonymous
August 11, 2005 3:12:02 PM

Archived from groups: comp.dcom.sys.cisco,comp.security.firewalls (More info?)

I would like to set up my cisco 1600 to support PASV ftp for a
particular ip address using NAT.

In other words I would like to forward packets incoming to ip
192.168.0.2 ports 5500 to 5700. The port range is what I have my ftp
server set up to use, I think it defaults to 1024+.

Internal FTP server: ip 192.168.0.2 ports 21, 5500-5700
external ip address: 1.2.3.4 (for the sake of this question)

I set up the NAT ftp control port 21 (which works fine) with:

ip nat inside source static tcp 192.168.0.2 21 1.2.3.4 21

But to support passive ftp (PASV) I need to also accept incoming
traffic to ports 5500-5700. This is because the ftp server will give
the ftp client a random node in that range to connect to for data
transmission.

I would like to do something like the following, but the cisco router
doesn't like the port range syntax:

ip nat inside source static tcp 192.168.0.2 5500-5700 1.2.3.4 5500-5700

The above line DOES NOT WORK as it is an invalid format, but I think it
give the gist of what I would like the end result to be.

Is there another way to do this? I'm not a cisco router expert so my
knowledge doesn't go much further than setting up "ip nat inside..."
commands.

Thank you,
Johnny
August 12, 2005 1:55:31 PM

Archived from groups: comp.dcom.sys.cisco,comp.security.firewalls (More info?)

> But to support passive ftp (PASV) I need to also accept incoming
> traffic to ports 5500-5700. This is because the ftp server will give
> the ftp client a random node in that range to connect to for data
> transmission.

Not sure how to configure the 1600 to do port forwarding for that range
of ports but that's not your only problem. Not only does the FTP server
pass the client a randowm port number for the data connection but it
also passes its IP address (the internal address) so the client will be
sending packets to the 192.168.0.2 address. If your FTP server supports
PASV mode you'll need to configure it to use the external IP address of
the NAT'ing machine and not it's own private IP address when it
responds to the PASV command.
!