I am trying to get ftps working in active mode on my network and I cant seem to find any information on how to do port forwarding, or how to give my inside clients (natted) access to and external ftps server in active mode. The only info I can find is how to do a static nat, but I would rather not if I dont have to. I apologize if I have posted this in the wrong place.
- 1 person found this helpful
Thanks for the reply, however the ftp server is not part of my network it is on the internet and the client are natted behind the fwsm, passive mode works to other ftp servers but I cannot get active mode to work.
- 1 person found this helpful
You won't be able to get FTPS working in active mode without opening and/or static natting as the inspect ftp engine can't read the PORT commands (ssl encrypted) and thus can't open the temporary states for the data connection...
Do you know of an easy way to do this for my whole network with approx. 20-30 different vlan subnets, do I just need an access-list, could you maybe post an example config for me.
- 1 person found this helpful
You're pretty much stuck with the same problem as active FTP was before the ftp fixup / inspect was availible...
If you NAT your networks (to a single address) to go out on the internet, you can only do a static to one host, thus only one pc will be able to do active ftp(s)...
You best chance is to convince whoever hosts the remote FTPS server to allow/configure passive FTPS and for you to open all high-order ports (1024-65535) towards their FTPS server.
This shifts the burden of opening ports on their end (which is usually more acceptable/managable on the server's side).
Thanks to all who answered, I kinda thought this but because no one ever trusts their own network guy, I thought I would pose the question here, thanks again..
Thanks for the active conversation! Great to see folks helping each other. Am moving to another part of the community so more can see and benefit.
Laura Douglas
Collaboration Community Manager
hi randy, the only way you can do this, without giving your FTP server a public IP, is to setup NAT. If you dont want to waste an entire public IP, you can do PAT (port address translation) and just forward ftp and ftp-data ports into the internal address of the server. You will also need to add those ports the access-list applied on the outside interface to allow the traffic into the "lobby" so to speak, before its forwarded.
Hope this helps,
JG