SRX Services Gateway
Highlighted
SRX Services Gateway

FTP behind the NAT

‎04-24-2012 01:57 AM

Hi.

I have SRX210HE and internal FTP-server, and I need to access to this FTP from public network. I saw a lot of  material on this topic and does not understand what I did wrong.

 

blabla@blablabla# show security nat destination

pool NAS {
    address 192.168.0.xxx/32 port 21;
}
pool NAS-20 {
    address 192.168.0.xxx/32 port 20;
}
rule-set NAS {
    from zone untrust;
    rule NAS-21 {
        match {
            destination-address xxx.xxx.xxx.98/32;
            destination-port 21;
        }
        then {
            destination-nat pool NAS;
        }
    }
    rule NAS-20 {
        match {
            destination-address xxx.xxx.xxx.98/32;
            destination-port 20;
        }
        then {
            destination-nat pool NAS-20;
        }
    }
}

 

 

blabla@blablabla# show security policies

from-zone trust to-zone untrust {
    policy trust-to-untrust {
        match {
            source-address any;
            destination-address any;
            application any;
        }
        then {
            permit;
        }
    }
}
from-zone untrust to-zone trust {
    policy Phone-VPN {
        match {
            source-address any;
            destination-address 192.168.0.0/16
            application any;
        }
        then {
            permit {
                tunnel {
                    ipsec-vpn Avaya-Phones-VPN
                }
            }
        }
    }
    policy dyn-vpn-policy {
        match {
            source-address any;
            destination-address any;
            application any;
        }
        then {
            permit {
                tunnel {
                    ipsec-vpn dyn-vpn;
                }
            }
        }
    }
    policy NAS {
        match {
            source-address any;
            destination-address NAS;
            application junos-ftp;
        }
        then {
            permit;
        }
    }
}

 

 

blabla@blablabla# show security alg
ftp disable ftps-extension;
h323 disable;
mgcp disable;
sccp disable;
sip disable;

 

Can it be that policies are interrupting each other? Any help will be very appreciated.

5 REPLIES 5
Highlighted
SRX Services Gateway
Solution
Accepted by topic author CyMac6poD
‎08-26-2015 01:27 AM

Re: FTP behind the NAT

‎04-24-2012 03:13 AM

Hi there,

 

Hi,  Can you move this policy to the top?

 

    policy NAS {
        match {
            source-address any;
            destination-address NAS;
            application junos-ftp;
        }
        then {
            permit;
        }
    }
}

 

user@srx# edit security policies from-zone untrust to-zone trust
user@srx# insert policy NAS before policy Phone-VPN

 

 

MMcD [JNCIP-SEC, JNCIS-ENT, CCNA, MCP]
____________________________________________________

[Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too]
Highlighted
SRX Services Gateway

Re: FTP behind the NAT

[ Edited ]
‎04-24-2012 11:50 PM

Thanks for advice. It works, but incorrectly. FTP server works in passive mode and first phase, which goes through 21 port  works, but then connection goes through random port selecting by FTP server. This step does not work. Any ideas?

Highlighted
SRX Services Gateway

Re: FTP behind the NAT

‎04-25-2012 12:00 AM

I'll try to use FTP ALG and ftp-extension and see what will happened

Highlighted
SRX Services Gateway

Re: FTP behind the NAT

‎04-25-2012 01:31 AM

Enable the FTP ALG and check.  Your config looks good now

MMcD [JNCIP-SEC, JNCIS-ENT, CCNA, MCP]
____________________________________________________

[Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too]
Highlighted
SRX Services Gateway

Re: FTP behind the NAT

‎04-26-2012 05:41 AM

It works with ALG enabled. Thanks a lot. That's all for nowSmiley Wink