• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1448
  • Last Modified:

Cisco 1720 no Active FTP with NAT

I have a T1 with 1720 at network edge... users inside the network can access outside servers using Passive FTP but not Active FTP. I believe this is due to NAT, but not sure.

Would adding one or both of these lines fix problem, where should I put it, and what is the difference:

permit tcp any eq ftp
permit tcp any eq ftp-data

Thanks for any help!

Here is my configuration:

service timestamps debug uptime
service timestamps log uptime
service password-encryption
no service tcp-small-servers
no service udp-small-servers
hostname Mach_1_Router
enable password 7 ********
no ip name-server
ip subnet-zero
no ip domain-lookup
ip routing
interface FastEthernet 0
 no shutdown
 description connected to EthernetLAN
 ip address
 ip nat inside
 keepalive 10
interface Serial 0
 no shutdown
 description connected to Internet
 service-module t1 clock source line
 service-module t1 data-coding normal
 service-module t1 remote-loopback full
 service-module t1 framing esf
 service-module t1 linecode b8zs
 service-module t1 lbo none
 service-module t1 remote-alarm-enable
 ip address **.***.***.26
 ip nat outside
 encapsulation ppp
! Access Control List 1
no access-list 1
access-list 1 permit
! Access Control List 100
no access-list 100
access-list 100 permit ip any any
! Static NAT
ip nat inside source static **.***.5.9
! Dynamic NAT
ip nat translation timeout 86400
ip nat translation tcp-timeout 86400
ip nat translation udp-timeout 300
ip nat translation dns-timeout 60
ip nat translation finrst-timeout 60
ip nat pool Mach_1_Router-natpool-1 **.***.5.9 **.***.5.14 netmask
ip nat inside source list 1 pool Mach_1_Router-natpool-1 overload
! DHCP Server
service dhcp
ip dhcp pool 1
 domain-name mach1wireless.com
 dns-server **.***.16.67 **.***.17.71
router rip
 version 2
 passive-interface Serial 0
 no auto-summary
ip classless
! IP Static Routes
ip route Serial 0
no ip http server
snmp-server community public RO
snmp-server location *********
snmp-server contact **********
line console 0
 exec-timeout 0 0
 password 7 ********
 transport input none
line vty 0 4
 password 7 **********

1 Solution
As long as you don't block ports 20 & 21 outbound with access lists , you should be able to do FTP outside your router.  You do not have to allow port 20 & 21 back into your network to be able to FTP to a server on the Internet.

Is there a firewall?  This might be the source of the problem where it only is allowing port 21.
NAT should not affect Passive FTP. PAT might - I'm not sure.

I agree with NetSpec, a firewall or ACL is more likely to be the culprit. Altho your ACL seems to be fairly permissive.
Your access list isn't applied to an interface anyway, so it doesn;t do anything. The problem is NAT.

Your NAT is translating inside private addresses to ephemeral TCP ports on. the router keeps track of which port and address on the inside is translated to which port on the outside address you configured with your NAT pool. When you use passive FTP, the server on the outside uses the same TCP port that the command came from to send data back. So the router knows that port and sends the data back to your client on the inside.

With active FTP, the server attempts to open a new session TO port 20 on the client. But the server thinks the client address is your outside address. and the router can't translate that back to an inside address.

The only way around this that I can think of  is to use static NAT, where each inside address, port 20, is given a specific outside address, port 20, to translate to.
The 14th Annual Expert Award Winners

The results are in! Meet the top members of our 2017 Expert Awards. Congratulations to all who qualified!

Oh- and to answer the question about the ACL:
permit tcp any eq ftp
permit tcp any eq ftp-data

First, in an inbound access list they would have to be
permit tcp any any eq ftp
permit tcp any eq ftp-data any

You have to specify the source and destination in an extended access list. As I said earlier, ftp-data is the data channel in active FTP (port 20), while ftp is the control channel (port 21). The server sets up a connection to the client's port 20. So an inbound access list has to allow port 20 in from the outside world.
> With active FTP, the server attempts to open a new session TO port 20 on the client. But the server thinks the client address is your outside address. and the router
> can't translate that back to an inside address.

Not quite.  The server tries to open a connection FROM its port 20 (ftp-data) TO an ephemeral port specified by the client.  So two things:

1. If your access-list allows "established", you don't need the "ftp-data" line.

2. The NAT device needs to be aware of FTP, so that when the client nominates an epehemeral port to use, the correct NAT translation is set up.  (The NAT device may need to modify this port number if PAT is being done -- which it almost always is.)

Most modern NAT devices are FTP-aware.  In IOS, there's a "fixup" command to enable the necessary extra processing; it's probably on by default in recent versions, but perhaps not in older versions.  You may need to enable it explicitly.

Passive FTP was created to deal with firewall issues client side since the source port from the server to the client is port 20 as stated at this site:


The only client I know of that doesnt support passive is the default ftp client in windows.  Other than that they all support pasive options.

I know it can be a headache because some clients do not connect in all instances.  

Lastly,  i do not belive there is an ftp fixup in IOS only PIX.  A vpn solution then FTPing would be a more secure solution and would allow FTP to work properly.


PennGwyn is right, it's FROM port 20 on the server to the client. But it is a new session, not an established one regardless of the destination port being used- because it's from a new port. It still has to send do the TCP handshake. So you DO need the ftp-data line. We had this issue recently when someone removed the ftp-data line from an internal access list we use here. and we are using IOS 12.2.

What you can do is to use the Firewall Feature Set version of IOS, which will support dynamically allowing inbound ports as needed. In this version, NAT should be able to figure out what's needed and automatically create the correct inbound translation.
Read this link from Cisco, as it explains what your problem is, and gives a solution as well.  


Also these links may help too as they give details on configuring NAT, and info on debugging it.



Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

Tackle projects and never again get stuck behind a technical roadblock.
Join Now