SRX 220 pasv ftp nat FTP ALG .. pasv not possible

I can't get pasv connection to work from public IP to internal IP
this is the junos code I have
set security nat destination pool FTP21 address 10.10.2.15/32 port 21
set security nat destination rule-set 1 rule FTP match destination-address <public IP>
set security nat destination rule-set 1 rule FTP match destination-port 21
set security nat destination rule-set 1 rule FTP then destination-nat pool FTP21
set security policies from-zone untrust to-zone trust policy FTP21 match source-address any
set security policies from-zone untrust to-zone trust policy FTP21 match destination-address SERVER (= trust address 10.10.2.15)
set security policies from-zone untrust to-zone trust policy FTP21 match application junos-ftp (is port 21)
set security policies from-zone untrust to-zone trust policy FTP21 then permit

FTP ALG is enabled

What am I doing wrong for PASV ftp to work?
message in log from client is
LVL 1
Richard FrankSystems AdministratorAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

arnoldCommented:
PASV is triggered by the client, at which point the server binds to a random port and listens for the incoming connection.
Your configuration is missing the DATA port connection.

you need to configure your FTP server with a set range of ports lets say 49000-49500
you would then need to forward the range of ports 49000-49100 to your FTP server.

application PASV_FTP {
        protocol tcp;
        destination-port 49000-49100;
    }
set security nat destination pool PASV_FTP address 10.10.2.15/32 port any
0
Richard FrankSystems AdministratorAuthor Commented:
thanks

I added the application

but this goes wrong:
set security nat destination pool PASV_FTP address 10.10.2.15/32 port any
                                                                                                                              ^
Invalid numeric value: 'any' at 'any'

Open in new window


I can only use a number as port and only one port not even a range
0
Richard FrankSystems AdministratorAuthor Commented:
at this link https://forums.juniper.net/t5/SRX-Services-Gateway/Destination-nat-inbound-FTP-in-Passive-mode/td-p/211725
I read that ftp port policy pool etc.. and ftp ALG should be all that there is to it.. but it just doesn't work

I read somewhere else that I have to create a pool for every single port :S
0
What were the top attacks of Q1 2018?

The Threat Lab team analyzes data from WatchGuard’s Firebox Feed, internal and partner threat intelligence, and a research honeynet, to provide insightful analysis about the top threats on the Internet. Check out our Q1 2018 report for smart, practical security advice today!

arnoldCommented:
application defines the range, you on your DNAT will allow the range to be forwarded to the IP of the FTP server

You have the listening portion on your PUBLIC IP for the ports to be used as the DATA port for PASV connection.
Then you have the rule to allow the traffic from any source to these data ports.

https://kb.juniper.net/InfoCenter/index?page=content&id=KB23611


You have the port 21 connection, user authenticates. user issues PASV
the response needs to be used to compute the port to which the client has to connect for the DATA port.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Richard FrankSystems AdministratorAuthor Commented:
Hello Arnold, thanks for your responses. It sounds so simple :) but still no succes.
I'll delete the rules I have now for ftp and start over with your suggestions.
0
arnoldCommented:
what FTP server are you using?
0
Richard FrankSystems AdministratorAuthor Commented:
Filezilla, but I'll try the links

multiple wan.. no, fiber with a /29 sub
0
Richard FrankSystems AdministratorAuthor Commented:
thanx Arnold..
with your help I new certain the srx config was good.
as you said: the application defines the range
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Juniper

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.