How do I set up Cisco 1600 nat port range for pasv ftp?

Archived from groups: comp.dcom.sys.cisco,comp.security.firewalls (More info?)

I would like to set up my cisco 1600 to support PASV ftp for a
particular ip address using NAT.

In other words I would like to forward packets incoming to ip
192.168.0.2 ports 5500 to 5700. The port range is what I have my ftp
server set up to use, I think it defaults to 1024+.

Internal FTP server: ip 192.168.0.2 ports 21, 5500-5700
external ip address: 1.2.3.4 (for the sake of this question)

I set up the NAT ftp control port 21 (which works fine) with:

ip nat inside source static tcp 192.168.0.2 21 1.2.3.4 21

But to support passive ftp (PASV) I need to also accept incoming
traffic to ports 5500-5700. This is because the ftp server will give
the ftp client a random node in that range to connect to for data
transmission.

I would like to do something like the following, but the cisco router
doesn't like the port range syntax:

ip nat inside source static tcp 192.168.0.2 5500-5700 1.2.3.4 5500-5700

The above line DOES NOT WORK as it is an invalid format, but I think it
give the gist of what I would like the end result to be.

Is there another way to do this? I'm not a cisco router expert so my
knowledge doesn't go much further than setting up "ip nat inside..."
commands.

Thank you,
Johnny
1 answer Last reply
More about cisco 1600 port range pasv
  1. Archived from groups: comp.dcom.sys.cisco,comp.security.firewalls (More info?)

    > But to support passive ftp (PASV) I need to also accept incoming
    > traffic to ports 5500-5700. This is because the ftp server will give
    > the ftp client a random node in that range to connect to for data
    > transmission.

    Not sure how to configure the 1600 to do port forwarding for that range
    of ports but that's not your only problem. Not only does the FTP server
    pass the client a randowm port number for the data connection but it
    also passes its IP address (the internal address) so the client will be
    sending packets to the 192.168.0.2 address. If your FTP server supports
    PASV mode you'll need to configure it to use the external IP address of
    the NAT'ing machine and not it's own private IP address when it
    responds to the PASV command.
Ask a new question

Read More

Firewalls FTP Cisco Networking