Active FTP support in IOS NAT

While configuring a Cisco router for active FTP support, I have quite accidentally come across a certain “feature, not a bug” :D

Considering the following network layout:

FTP client ------- Ethernet0 [Cisco router] Ethernet1------- FTP server

all you need to support active FTP is to add the following entry to the ACL applied inbound on the Ethernet1 interface:

permit tcp any eq 20 host A.B.C.D

where A.B.C.D is the IP address of the Ethernet1 interface. Specifically, I was wondering how does IOS know to which internal IP address and port to redirect a new connection sourced from the FTP server placed in the Internet. The only place where I found a clear answer was an article at (in case anyone needed it, you may also find a short write-up about how active FTP works in there). Apparently, the NAT mechanism in the IOS itself inspects the messages exchanged by the FTP client and server and on that basis, it knows where to redirect each connection. It happens obscurely, i.e. I haven’t found a way to (just in case, of course, as the feature works correctly) debug any problems with such translations.

I guess one may just call this feature “Cisco IOS NAT support for FTP” (I haven’t found an official name; this phenomenon isn’t limited to FTP, but also holds true for other protocols which send IP address information in any layer greater than 3).


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s