SRX

I have a problem with an FTP server on my network.
This is in the DMZ and must provide services to the Internet.
The FTP server is running on IIS and is listening on port 2121.
when he entered the service from internet shows me the following error:

C: \ Documents and Settings \ Administrator> ftp 200.72.
Connected to 200.72.134.16.
220 Microsoft FTP Service
User (200.72.134.16: (none)): "windows"
331 Password required for windows.
Password:
230 User logged in windows.
ftp> dir
200 PORT command successful.
150 Opening ASCII mode data connection for / bin / ls.
Aborting any active data connections ...
425 Can not open data connection.

the server's internal ip is: 192.168.134.12
the server's public ip is: 200.72.134.16, this is listening on port 21.

the configuration assistant:


<--->
show security nat destination
FTP pool {
    192.168.134.12/32 address port 2121;

{rule-set Nat_Untrust
    from Untrust zone;

    {FTP rule
        match {
            200.72.134.16/32 destination-address;
            destination-port 21;
        }
        then {
            destination-pool nat FTP
        }
    }

<--->
 show security nat proxy-arp
reth2.0 interface {
    address {
        200.72.134.16/32;
    }
}

Security Policies show from-zone-zone Untrust to DMZ-1 policy 4
match {
    Any source-address;
    FTP_TEST destination-address;
    application [FTP_2121 junos-ftp FTP]
}
then {
    {permit
        destination-address {
            drop-untranslated;
        }
    }
    log {
        session-init;
        session-close;
    }
}

Applications show FTP application
protocol tcp;
destination-port 20-21;

Applications show application FTP_2121
protocol tcp;
destination-port 2121-2121;

thanks!

how i can do that ?

I do IT !!!! THANK!!!!!

I see a few problems here.

1.  Your client is not requesting a passive connection.  It's trying to open a default active connection, which means your server is trying to connect back to the client on port 20.  You don't have a security policy nor NAT rule to allow the outgoing connection from your server.

2.  If you do want to use passive FTP, you need to make sure the FTP ALG is enabled.  You also need to adjust your destination NAT rule to allow ports other than 21 to get the destination NAT, because you're locking it down to port 21 and then the security policy says "drop-untranslated."

3. Your config excerpts have a lot of stuff that is... well...  backwards?  Did you copy/paste this, or type it all in from somewhere?  For example:

"FTP rule" should be "rule FTP"

"200.72.134.16/32 destination-address;" should be "destination-address 200.72.134.16/32;"

"destination-pool nat FTP" should be "destination-nat pool FTP"

..., etc.  This is pretty confusing to look at.

What model SRX and what version of Junos are you running?

I don't understand. I can't allow clients from 192.168.1.0/24 to internet over FTP connection. Please help me!

This is my configuration file.

Juniper SRX 240B

Attachment(s)

juniper_20150108.txt   13 KB 1 version