SRX

Hello!

   Of all the complex stuff we have accomplished with our srx240's (chassis cluster, routing-instances, site2site VPNs, OSPF, VLANs on reth interfaces etc....) I figured FTP would be trivial...

I've read through MANY of the posts relating to this issue, but still can't get it working!

The symptoms are: the initial connection is established (you can login, and change directories), but not list or transfer files.

rmckennon@rmckennon:~$ ftp ftp.xyz.com
Connected to www.xyz.com.
220 (vsFTPd 3.0.2)
Name (ftp.xyz.com:rmckennon): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
425 Failed to establish connection.
ftp> cd pub
250 Directory successfully changed.
ftp> ls
200 PORT command successful. Consider using PASV.
425 Failed to establish connection.
ftp> get large.img
local: large.img remote: large.img
200 PORT command successful. Consider using PASV.
425 Failed to establish connection.
ftp> quit

Of course it works fine if I don't go through the srx.

Here's sections from my config:

SRX240

version 12.1X46-D15.3 

security nat destination:

pool FTP {
 routing-instance {
  PRIVATE;
 }
 address 10.120.30.21/32 port 21;
}

rule FTP {
 match {
  destination-address xx.yy.zz.38/32;
  destination-port 21;
  protocol tcp;
 }
 then {
  destination-nat {
   pool {
    FTP;
    }
   }
  }
 }

global address book:

address FTP 10.120.30.21/32;

from zone untrust to zone trust:

policy FTP {
 match {
  source-address any;
  destination-address FTP;
  application junos-ftp;
 }
then {
 permit;
 }
}

rmckennon@peak10-juniper> show security alg status
ALG Status :
FTP : Enabled

What am I missing???

Rob McKennon

what do mean by "multi ops"?

Rob.

I would take the port 21 part out of your nat, my guess is the rest of your ftp traffic that works on other ports is not being Nat'd 

Yes, we are using multiple IP address on the public side, and the one of the public addresses I'm using for ftp is also used for port 80 to a different webserver.

We have a free IP address available, so I'll try that when we get our test envirornment back up.

disabling the ftp alg definitely makes things worse!

You should also nat port 20, but really I would make sure your port 80 nat rule is above the ftp nat rule and leave the port out on the ftp rule/pool altogether

Well, I removed the port 21 from the dnat pool and rule, commited, and still have the issue.

And I'm using a new public IP address that is not sharing with any other services (like port 80).

Think I'm gonna have to call jtac on this one.

This solution actually worked!  I was part of the problem... I wasn't testing it correctly!  I set it up on our test lab, but was testing it through hairpinning, not via an actual outside IP address.

Thanks KJMurphy!