Archived from groups: comp.dcom.sys.cisco,comp.security.firewalls (More info?)
I would like to set up my cisco 1600 to support PASV ftp for a
particular ip address using NAT.
In other words I would like to forward packets incoming to ip
192.168.0.2 ports 5500 to 5700. The port range is what I have my ftp
server set up to use, I think it defaults to 1024+.
Internal FTP server: ip 192.168.0.2 ports 21, 5500-5700
external ip address: 1.2.3.4 (for the sake of this question)
I set up the NAT ftp control port 21 (which works fine) with:
ip nat inside source static tcp 192.168.0.2 21 1.2.3.4 21
But to support passive ftp (PASV) I need to also accept incoming
traffic to ports 5500-5700. This is because the ftp server will give
the ftp client a random node in that range to connect to for data
transmission.
I would like to do something like the following, but the cisco router
doesn't like the port range syntax:
ip nat inside source static tcp 192.168.0.2 5500-5700 1.2.3.4 5500-5700
The above line DOES NOT WORK as it is an invalid format, but I think it
give the gist of what I would like the end result to be.
Is there another way to do this? I'm not a cisco router expert so my
knowledge doesn't go much further than setting up "ip nat inside..."
commands.
Thank you,
Johnny
I would like to set up my cisco 1600 to support PASV ftp for a
particular ip address using NAT.
In other words I would like to forward packets incoming to ip
192.168.0.2 ports 5500 to 5700. The port range is what I have my ftp
server set up to use, I think it defaults to 1024+.
Internal FTP server: ip 192.168.0.2 ports 21, 5500-5700
external ip address: 1.2.3.4 (for the sake of this question)
I set up the NAT ftp control port 21 (which works fine) with:
ip nat inside source static tcp 192.168.0.2 21 1.2.3.4 21
But to support passive ftp (PASV) I need to also accept incoming
traffic to ports 5500-5700. This is because the ftp server will give
the ftp client a random node in that range to connect to for data
transmission.
I would like to do something like the following, but the cisco router
doesn't like the port range syntax:
ip nat inside source static tcp 192.168.0.2 5500-5700 1.2.3.4 5500-5700
The above line DOES NOT WORK as it is an invalid format, but I think it
give the gist of what I would like the end result to be.
Is there another way to do this? I'm not a cisco router expert so my
knowledge doesn't go much further than setting up "ip nat inside..."
commands.
Thank you,
Johnny
Facebook
Twitter
Instagram