SRX

I have what I thought was a simple setup.

SRX with static NAT

security nat static ruleset Public-BIMAP

from zone untrust;

rule FTP-BIMAP-1 {
match {
destination-address Outside-IP;
}
then {
static-nat {
prefix {
Inside-IP;
}
}
}
}

security policies from-zone untrust to-zone trust

policy FTP {
match {
source-address any;
destination-address Inside-IP;
application junos-ftp;
}
then {
permit;
}
}

security policies from-zone trust to-zone untrust

policy open {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}

The setup works great with standard FTP.  The ALG seems to be failing to catch and parse PASV requests however, any attempts to do a PASV transfer times out.  Any suggestions on how to coax this into cooperating without manually blowing open a bunch of ports by hand?  I couldn't find a good KB article on this so I'm a bit stumped.

I've been able to nail down one detail.  FTP clients that use PASV fail, those that use EPSV work just fine.  The FTP server's response to those commands is different, my only guess is it's something in how the FTP ALG interpruts the repsonses that's causing me woes.

Finally got it working with PASV requests.

I'm using vsftpd, and had pasv_ip set to the public IP of the server, which is what I'd anticipate doing in a typical NAT scenario, and this worked behind FreeBSD 4.10 NAT.  By removing that statement vsftpd defaulted to replying with the server's internal IP to PASV commands, I'm assuming the SRX FTP ALG then manipulated that response after parsing as it works cleanly now.