I don't have the firewall enabled, currently, I think. You're saying I need to have it on to get this to work?
Main Topics
Browse All TopicsI've attached my current config. I want to host an ftp server (ftp over ssl, so port 990) on 10.10.10.3. I've already opened up port 990 below, but that's only the control connection. I want to allow passive connections. How can I forward a range of ports for this purpose? Or is there a more elegant setup?
This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.
Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.
If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.
Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.
Access the answers to your technology questions today.
30-day free trial. Register in 60 seconds.
Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Try it out and discover for yourself.
30-day free trial. Register in 60 seconds.
Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.
You are going to have some problems with this. First inspect for ftp will most likely NOT work, I'm 99.99999% sure on this. Why, because the control session is encrypted (TLS) and so the 871W will NOT be able to see the PASV command.
Why I am only 99.9999% sure? Easy, because there is a CCC command that will tell the FTP server that the next command will be sent in clear text. If you have a client and a server that supports the CCC command and you are allowed to use the CCC command (some security teams do not want even one command bening sent in clear text over a TSL sessions), then all you need to do is enabled the inspect for ftp and in your ftp process issue the CCC command just prior to the PUT/GET/MPUT/MGET command.
Now, if you for some reason can not use the CCC command then you need to:
Setup your FTP server to only use a specific port range for the data connection.
Code the necessary NAT's to for those ports.
After that you still may have problems. If your ftp server supports it, you need to configure it to use the PUBLIC ip address you are NAT'ing to for the PASV command. If your ftp server does not support this, then you need to make sure that it and all ftp clients support Extended Passive (EPSV).
Normally the server will put its IP address and the port number it is listening on for the data connection on the PASV command. Since your servers IP address is non-routable on the Internet the client will not be able to get to it. And since the PASV command will be encrypted, your router/firewall can't replace it with the NAT'ed address. What EPSV does is just send the port, the client assumes that the address for the data connection is the same as the control session.
FTP works fine behind just about any firewall/router. The issue is not with FTP, it with TSL'ed FTP.
In my experience when using TLS'ed FTP they:
1) Setup the FTP server to only use a specific range of ports for the data connections.
2) Setup all filtering devices to allow inbound traffic to the ftp server using the port ranged defined in #1
3) Make sure all clients and the ftp server support Extended Passive.
What FTP server are you using?
O.k., if this FTP server is going to be used by people coming from the Internet only you can configure FileZilla to use the external/public IP address for passive mode data transfers.
If you go into the sever options and select passive mode settings, you can configure a specific IP external IP adress. On this same page is where you can configure what port range to use for passive tranfers.
Now, if you do NOT have a static external IP address you can check the "Retrieve external IP address from:" box.
I don't think there is a range option on the static nat, so you would need to do something like:
ip nat inside source static tcp 10.10.10.3 10000 interface Dialer0 10000
ip nat inside source static tcp 10.10.10.3 10001 interface Dialer0 10001
ip nat inside source static tcp 10.10.10.3 10002 interface Dialer0 10002
ip nat inside source static tcp 10.10.10.3 10003 interface Dialer0 10003
ip nat inside source static tcc 10.10.10.3 10004 interface Dialer0 10004
"
"
ip nat inside source static tcp 10.10.10.3 10049 interface Dialer0 10049
If you wanted to use ports 10000 - 10049. Do you have multiple public IP addresses? If so, it may be easier to just give this ftp server its own public IP address.
Business Accounts
Answer for Membership
by: leibinusaPosted on 2009-02-25 at 13:16:18ID: 23738516
set up firewall on router "ip inspect" and enable inspection on ftp. the firewall will open ports for ftp automatically.