I have what I thought was a simple setup.
SRX with static NAT
security nat static ruleset Public-BIMAP
from zone untrust;
rule FTP-BIMAP-1 {
match {
destination-address Outside-IP;
}
then {
static-nat {
prefix {
Inside-IP;
}
}
}
}
security policies from-zone untrust to-zone trust
policy FTP {
match {
source-address any;
destination-address Inside-IP;
application junos-ftp;
}
then {
permit;
}
}
security policies from-zone trust to-zone untrust
policy open {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
The setup works great with standard FTP. The ALG seems to be failing to catch and parse PASV requests however, any attempts to do a PASV transfer times out. Any suggestions on how to coax this into cooperating without manually blowing open a bunch of ports by hand? I couldn't find a good KB article on this so I'm a bit stumped.