Guest

Cisco CSS 11000 Series Content Services Switches

Understanding and Configuring FTP on the CSS 11000

Cisco - Understanding and Configuring FTP on the CSS 11000

Document ID: 12580

Updated: Dec 27, 2007

   Print

Introduction

This document outlines the difference between the two File Transfer Protocol (FTP) modes (PORT and the PASV), and how they apply to Virtual Internet Protocol (VIP) source groups on the Cisco Content Services Switch (CSS) 1000. The FTP client wishing to connect to the FTP server initiates the FTP control connection. The control connection is used to issue commands to the FTP server and to get simple responses; however, the actual file transfer takes place over a separate data connection. The FTP client or the FTP server may initiate the data connection; these different modes of FTP are referred to as the PORT (active) mode and PASV (passive) mode. The FTP client decides which mode to use.

Before You Begin

Conventions

For more information on document conventions, see the Cisco Technical Tips Conventions.

Prerequisites

There are no specific prerequisites for this document.

Components Used

The information in this document is based on the Cisco CSS 11000.

Understanding FTP on the CSS 11000

Port Mode FTP

  1. The client issues the retrieval request.

  2. The client sets up the listening port.

  3. The client issues a PORT command to the FTP server. This command informs the server which port the client is listening to for the data connection.

  4. The server establishes the connection to the address indicated by the PORT command.

This is an example of a PORT mode FTP sniffer trace:

Source Address Dest. Address  Size  Summary
1 [10.0.1.52] n1.arrowpoint.co 78 DNS: C ID=1 OP=QUERY NAME=www.arrowpoint.com
2 n1.arrowpoint.co [10.0.1.52] 187 DNS: R ID=1 STAT=OK NAME=www.arrowpoint.com
3 [10.0.1.52] www.arrowpoint.co 60 TCP: D=21 S=1030 SYN SEQ=641559 LEN=0 WIN=8192 
4 www.arrowpoint.co [10.0.1.52] 60 TCP: D=1030 S=21 SYN ACK=641560 SEQ=2025117094 LEN=0 WIN=8760
5 [10.0.1.52] www.arrowpoint.co 60 TCP: D=21 S=1030 ACK=2025117095 WIN=8760
6 www.arrowpoint.co [10.0.1.52] 101 FTP: R PORT=21 220 pawn Microsoft FTP Service (Version 4.0).
7 [10.0.1.52] www.arrowpoint.co 60 TCP: D=21 S=1030 ACK=2025117142 WIN=8713
8 [10.0.1.52] www.arrowpoint.co 70 FTP: C PORT=1030 USER anonymous
9 www.arrowpoint.co [10.0.1.52] 126 FTP: R PORT=21 331 Anonymous access allowed
10 [10.0.1.52] www.arrowpoint.co 60 TCP: D=21 S=1030 ACK=2025117214 WIN=8641
11 [10.0.1.52] www.arrowpoint.co 72 FTP: C PORT=1030 PASS jack@hi.com
12 www.arrowpoint.co [10.0.1.52] 103 FTP: R PORT=21 230-*****************************************<0D0D>
13 [10.0.1.52] www.arrowpoint.co 60 TCP: D=21 S=1030 ACK=2025117263 WIN=8592
14 www.arrowpoint.co [10.0.1.52] 473 FTP: R PORT=21 230-Welcome to ArrowPoint Communications Inc.<0D0D>
15 [10.0.1.52] www.arrowpoint.co 60 TCP: D=21 S=1030 ACK=2025117682 WIN=8173
16 [10.0.1.52] www.arrowpoint.co 62 FTP: C PORT=1030 TYPE I
17 www.arrowpoint.co [10.0.1.52] 74 FTP: R PORT=21 200 Type set to I.
18 [10.0.1.52] www.arrowpoint.co 60 TCP: D=21 S=1030 ACK=2025117702 WIN=8153
19 [10.0.1.52] www.arrowpoint.co 62 FTP: C PORT=1030 TYPE A
20 www.arrowpoint.co [10.0.1.52] 74 FTP: R PORT=21 200 Type set to A.
21 [10.0.1.52] www.arrowpoint.co 74 FTP: C PORT=1030 PORT 10,0,1,52,4,7
22 www.arrowpoint.co [10.0.1.52] 84 FTP: R PORT=21 200 PORT command successful.
23 [10.0.1.52] www.arrowpoint.co 60 FTP: C PORT=1030 LIST
24 www.arrowpoint.co [10.0.1.52] 107 FTP: R PORT=21 150 Opening ASCII mode data connection for /bin/ls.
25 www.arrowpoint.co [10.0.1.52] 60 TCP: D=1031 S=20 SYN SEQ=2025117177 LEN=0 WIN=8192
26 [10.0.1.52] www.arrowpoint.co 60 TCP: D=20 S=1031 SYN ACK=2025117178 SEQ=658359 LEN=0 WIN=8760
27 www.arrowpoint.co [10.0.1.52] 60 TCP: D=1031 S=20 ACK=658360 WIN=8760
28 www.arrowpoint.co [10.0.1.52] 718 FTP: R PORT=1031 Text Data
29 www.arrowpoint.co [10.0.1.52] 60 TCP: D=1031 S=20 FIN ACK=658360 SEQ=2025117842 LEN=0 WIN=8760
30 [10.0.1.52] www.arrowpoint.co 60 TCP: D=20 S=1031 ACK=2025117843 WIN=8096
31 [10.0.1.52] www.arrowpoint.co 60 TCP: D=20 S=1031 FIN ACK=2025117843 SEQ=658360 LEN=0 WIN=8096
32 www.arrowpoint.co [10.0.1.52] 60 TCP: D=1031 S=20 ACK=658361 WIN=8760
33 [10.0.1.52] www.arrowpoint.co 60 TCP: D=21 S=1030 ACK=2025117805 WIN=8050
34 www.arrowpoint.co [10.0.1.52] 78 FTP: R PORT=21 226 Transfer complete.
35 [10.0.1.52] www.arrowpoint.co 62 FTP: C PORT=1030 TYPE I
36 www.arrowpoint.co [10.0.1.52] 74 FTP: R PORT=21 200 Type set to I. 
37 [10.0.1.52] www.arrowpoint.co 60 TCP: D=21 S=1030 ACK=2025117849 WIN=8006

PASV Mode FTP

  1. The client issues the retrieval request.

  2. The client issues the PASV command to the server, indicating that it wants the server to go to the passive mode.

  3. The server sets up a listening port.

  4. The server responds, letting the client know which port it is listening to for the data connection.

  5. The client establishes the connection to the address indicated in the server's response to the PASV command.

This is an example of a PASV mode FTP sniffer trace:

Source Address Dest. Address Size Summary
1 [161.44.232.117] [161.44.234.42] 78 DNS: C ID=1 OP=QUERY NAME=www.arrowpoint.com
2 [161.44.234.42] [161.44.232.117] 182 DNS: R ID=1 STAT=OK NAME=www.arrowpoint.com
3 [161.44.232.117] www.arrowpoint.co 60 TCP: D=21 S=3629 SYN SEQ=120885523 LEN=0 WIN=8192
4 www.arrowpoint.co [161.44.232.117] 60 TCP: D=3629 S=21 SYN ACK=120885524 SEQ=2025248057 LEN=0 WIN=8244
5 [161.44.232.117] www.arrowpoint.co 60 TCP: D=21 S=3629 ACK=2025248058 WIN=8244
6 www.arrowpoint.co [161.44.232.117] 101 FTP: R PORT=21 220 pawn Microsoft FTP Service (Version 4.0).
7 [161.44.232.117] www.arrowpoint.co 68 FTP: C PORT=3629 USER try
8 www.arrowpoint.co [161.44.232.117] 90 FTP: R PORT=21 331 Password required for support.
9 [161.44.232.117] www.arrowpoint.co 71 FTP: C PORT=3629 PASS buggie
10 www.arrowpoint.co [161.44.232.117] 103 FTP: R PORT=21 230-*****************************************<0D0D>
11 [161.44.232.117] www.arrowpoint.co 60 TCP: D=21 S=3629 ACK=2025248190 WIN=8112
12 www.arrowpoint.co [161.44.232.117] 471 FTP: R PORT=21 230-Welcome to ArrowPoint Communications Inc.<0D0D>
13 [161.44.232.117] www.arrowpoint.co 60 FTP: C PORT=3629 PWD
14 www.arrowpoint.co [161.44.232.117] 85 FTP: R PORT=21 257 "/" is current directory.
15 [161.44.232.117] www.arrowpoint.co 60 FTP: C PORT=3629 SYST
16 www.arrowpoint.co [161.44.232.117] 82 FTP: R PORT=21 215 Windows_NT version 4.0
17 [161.44.232.117] www.arrowpoint.co 60 FTP: C PORT=3629 PASV

18 www.arrowpoint.co [161.44.232.117] 102 FTP: R PORT=21 227 Entering Passive Mode (206,25,90,84,32,89)
19 [161.44.232.117] www.arrowpoint.co 60 TCP: D=8281 S=3630 SYN SEQ=120886325 LEN=0 WIN=8192
20 www.arrowpoint.co [161.44.232.117] 60 TCP: D=3630 S=8281 SYN ACK=120886326 SEQ=2025248090 LEN=0 WIN=8244
21 [161.44.232.117] www.arrowpoint.co 60 TCP: D=8281 S=3630 ACK=2025248091 WIN=8244
22 [161.44.232.117] www.arrowpoint.co 60 TCP: D=8281 S=3630 ACK=2025248091 WIN=16384
23 [161.44.232.117] www.arrowpoint.co 60 FTP: C PORT=3629 LIST
24 www.arrowpoint.co [161.44.232.117] 108 FTP: R PORT=21 125 Data connection already open; Transfer starting.
25 www.arrowpoint.co [161.44.232.117] 718 TCP: D=3630 S=8281 ACK=120886326 SEQ=2025248091 LEN=664 WIN=8244
26 www.arrowpoint.co [161.44.232.117] 60 TCP: D=3630 S=8281 FIN ACK=120886326 SEQ=2025248755 LEN=0 WIN=8244
27 [161.44.232.117] www.arrowpoint.co 60 TCP: D=8281 S=3630 ACK=2025248091 WIN=16384
28 [161.44.232.117] www.arrowpoint.co 60 TCP: D=8281 S=3630 ACK=2025248756 WIN=15720
29 [161.44.232.117] www.arrowpoint.co 60 TCP: D=8281 S=3630 FIN ACK=2025248756 SEQ=120886326 LEN=0 WIN=15720
30 [161.44.232.117] www.arrowpoint.co 60 TCP: D=21 S=3629 ACK=2025248768 WIN=7534
31 www.arrowpoint.co [161.44.232.117] 60 TCP: D=3630 S=8281 ACK=120886327 WIN=8244
32 www.arrowpoint.co [161.44.232.117] 78 FTP: R PORT=21 226 Transfer complete.
33 [161.44.232.117] www.arrowpoint.co 60 TCP: D=21 S=3629 ACK=2025248792 WIN=7510

The default FTP mode on Internet Explorer and Netscape is PASV mode. When you FTP from the DOS prompt on a Windows-based system, PORT mode is used. Other FTP programs provide the client with a choice to use either mode.

Configuring FTP on the CSS 11000

There are two situations of concern when using FTP on the CSS 11000:

  • If users or servers behind the CSS 11000 have a private IP address and need a public IP address in order to FTP to a server on the Internet.

  • If clients from the Internet are trying to FTP to a server located behind the CSS 11000.

Each situation involves a different configuration.

Private to Public IP Address

configuring_FTP-1.jpg

In this situation, a source group is added to the configuration. The source group performs all the Network Address Translation (NAT) transformations. The source group is applied to both the control and data TCP sessions. The source group also changes the IP address in the data portion of the IP packet from the origin server to the source group VIP address when Active (PORT) FTP mode is being used. This can be seen from the above PORT FTP trace.

The clients or servers behind the CSS 11000 can be added through access control lists (ACLs), or they can be internal to the group. What you choose depends on whether you are using Active or Passive FTP. Active mode requires that you add the service to the source group, where Passive mode will work in either case. If you are not sure which type of FTP will be used add the service to the group and do not use ACLs to divert traffic to the source group. For Port and Passive mode FTP, this group configuration will work. If load balancing or NATing through a virtual IP, make sure to use the same VIP defined in your FTP rule.

Group FTP
IP address 76.7.7.7
Add service serverA
Add service serverB
Active

If you need to be more granular about how the source group is applied, then you can provide this through ACLs. This does not work for passive-mode FTP.

Group FTP
IP address 76.6.6.6
active
ACL 1
Clause 10 permit any 10.0.0.0 255.0.0.0 destination any sourcegroup FTP
Apply circuit (VLAN1)

Note: Clause 10 tells the switch to allow anyone within the 10.x.x.x subnet to apply NAT to 76.6.6.6 when conversing with the outside world. This situation may be useful if you only want to NAT servers or clients to the outside world and not apply NAT when they need to talk to other devices in the 10.x.x.x subnet.

Server Behind the CSS 11000

configuring_FTP-2.jpg

In this situation, you need to configure a content rule and a source group for the CSS 11000. The content rule is configured with a VIP address that the clients point at to FTP. The destined servers are added to the rule through services. This provides the NAT from public to private IP addressing.

The content rule should be configured with TCP and your FTP port (usually 21). If the port specified is not 21, the command application ftp-control is required to let the CSS know it is FTP traffic. This is required for passive FTP mode.

This is the running configuration for the above situation:

owner CSS
content ftp-rule
VIP address 192.3.6.58
Protocol TCP
Port 21
Application ftp-control
Add serv1
Add serv3
Active 

A source group also has to be configured for both active and passive mode. For passive mode, the group will NAT the server ip address found in the FTP control channel payload when the server passes the ip and port information for the data connection. For active mode, it is required to NAT the source ip address of the server when this one open the data connection with the client. Just like the previous situation, the servers can be added by services in the source group or through ACLs. The running configuration for the source group might appear like the following:

Group ftp
VIP address 192.3.6.58
Add service serv1
Add service serv2
Active

Related Information

Updated: Dec 27, 2007
Document ID: 12580