Changing TCP Ports for FTP

Problem

You have an FTP server that uses a nonstandard TCP port number.

Solution

The FTP protocol includes IP address information in the packet payload. Normally, Cisco's NAT implementation rewrites IP address information in the payloads of FTP packets by looking in every packet sent on TCP port 21, which is the port that FTP uses to pass session control information by default. So when an FTP server uses a nonstandard TCP port number for session control, you have to configure the NAT router to expect FTP packets on this new port number:

Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#access-list 19 permit 192.168.55.5 Router(config)#ip nat service list 19 ftp tcp port 8021 Router(config)#ip nat service list 19 ftp tcp port 21 Router(config)#end Router#

 

Discussion

As we mentioned in the Introduction to this chapter, the common FTP protocol includes IP address information in the packet payload. Cisco routers expect this, and rewrite the information appropriately. But some FTP servers use a nonstandard TCP port number, which means that NAT will break the protocol. So in IOS Version 11.3, Cisco introduced the ability to look for FTP payload information on alternate TCP port numbers.

The example configures the router to expect FTP packets for the server 192.168.55.5 on both the default port number 21 and the nonstandard port number 8021. You can easily configure similar commands for other servers as well, or expand the access-list to include several servers that all use the same nonstandard FTP port number.

In IOS Version 12.2(4)T, Cisco introduced the no-payload keyword, which prevents NAT from modifying any addresses in the packet payload:

Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#interface FastEthernet0/0 Router(config-if)#ip address 172.16.1.5 255.255.255.252 Router(config-if)#ip nat outside Router(config-if)#exit Router(config)#interface FastEthernet0/1 Router(config-if)#ip address 192.168.1.1 255.255.255.0 Router(config-if)#ip nat inside Router(config-if)#exit Router(config)#ip nat inside source static 192.168.1.10 172.16.1.5 no-payload Router(config)#end Router#

Here we have used the no-payload option to configure a static NAT entry. Any translations that use this rule will have the addresses in the IP header translated normally. But any IP addresses in the packet payload will remain untouched.

This command is useful in cases when translating the addresses inside the packet interferes with the functioning of the application.

Категории