It could be a bug or it could just be that FTP is a huge pain to get working with NAT and firewalls due to its behavior. Firewalls at either end, including a personal firewall on the end system, can wreak havoc. Changing to passive might help because then the server doens't try to open a session from port 20 to the client's chosen port. But passive might not work either because then the client opens a session from a not-well-known port to the server on a not well-known port.
And then there's the whold yuckiness of the FTP commands that have an IP address in them which NAT has to fix. Of course, a stateful firewall and NAT implementation should handle all this, but it's a lot for them to do and some of them don't do it right. Some commonly-used FTP implementations set the IP address in the PORT command to 0.0.0.0, with the intention being that the server should simply open the data connection on the same client that opened the control connection. Setting the IP address to 0.0.0.0 can confuse firewalls. On Cisco IOS release 6.x(x), the PIX fixup protocol for FTP does not allow the IP address for the data connection to be different from the one already in use for the control connection. The reason for this is to thwart a hacker who could use the PORT command to launch an attack on another host. Although the FTP implementations that set the IP address to 0.0.0.0 are not intentional hacks, they do trigger a problem with the fixup protocol and other firewalls that were designed to disallow FTP third-party mode and to avoid FTP bounce attacks. You may need to get out a protocol analyzer and determine exactly what is happening. Many more details to help you with that in my FTP white paper here: http://www.troubleshootingnetworks.com/ftpinfo.html Priscilla Raj Santiago wrote: > > Hi Vikram, > > have tried connecting to the server using passive ftp ? I > have encountered bugs relating to PAT as Andrew mentioned. The > workaround I applied was to remove "ip route-cache" on the nat > inside and outside interface. This was temporary till the bug > was fixed offcourse... > > > http://www.cisco.com/en/US/about/ac123/ac147/ac174/ac199/about_cisco_ipj_archive_article09186a00800c85a7.html > > > raj > Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=61628&t=61549 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
