While configuring a Cisco router for active FTP support, I have quite accidentally come across a certain “feature, not a bug” :D
Considering the following network layout:
all you need to support active FTP is to add the following entry to the ACL applied inbound on the Ethernet1 interface:
permit tcp any eq 20 host A.B.C.D
A.B.C.D is the IP address of the Ethernet1 interface. Specifically, I was wondering how does IOS know to which internal IP address and port to redirect a new connection sourced from the FTP server placed in the Internet. The only place where I found a clear answer was an article at ciscopress.com (in case anyone needed it, you may also find a short write-up about how active FTP works in there). Apparently, the NAT mechanism in the IOS itself inspects the messages exchanged by the FTP client and server and on that basis, it knows where to redirect each connection. It happens obscurely, i.e. I haven’t found a way to (just in case, of course, as the feature works correctly) debug any problems with such translations.
I guess one may just call this feature “Cisco IOS NAT support for FTP” (I haven’t found an official name; this phenomenon isn’t limited to FTP, but also holds true for other protocols which send IP address information in any layer greater than 3).