Document ID: 12580
Updated: Dec 27, 2007
Contents
Introduction
This document outlines the difference between the two File Transfer Protocol (FTP) modes (PORT and the PASV), and how they apply to Virtual Internet Protocol (VIP) source groups on the Cisco Content Services Switch (CSS) 1000. The FTP client wishing to connect to the FTP server initiates the FTP control connection. The control connection is used to issue commands to the FTP server and to get simple responses; however, the actual file transfer takes place over a separate data connection. The FTP client or the FTP server may initiate the data connection; these different modes of FTP are referred to as the PORT (active) mode and PASV (passive) mode. The FTP client decides which mode to use.
Before You Begin
Conventions
For more information on document conventions, see the Cisco Technical Tips Conventions.
Prerequisites
There are no specific prerequisites for this document.
Components Used
The information in this document is based on the Cisco CSS 11000.
Understanding FTP on the CSS 11000
Port Mode FTP
-
The client issues the retrieval request.
-
The client sets up the listening port.
-
The client issues a PORT command to the FTP server. This command informs the server which port the client is listening to for the data connection.
-
The server establishes the connection to the address indicated by the PORT command.
This is an example of a PORT mode FTP sniffer trace:
Source Address Dest. Address Size Summary 1 [10.0.1.52] n1.arrowpoint.co 78 DNS: C ID=1 OP=QUERY NAME=www.arrowpoint.com 2 n1.arrowpoint.co [10.0.1.52] 187 DNS: R ID=1 STAT=OK NAME=www.arrowpoint.com 3 [10.0.1.52] www.arrowpoint.co 60 TCP: D=21 S=1030 SYN SEQ=641559 LEN=0 WIN=8192 4 www.arrowpoint.co [10.0.1.52] 60 TCP: D=1030 S=21 SYN ACK=641560 SEQ=2025117094 LEN=0 WIN=8760 5 [10.0.1.52] www.arrowpoint.co 60 TCP: D=21 S=1030 ACK=2025117095 WIN=8760 6 www.arrowpoint.co [10.0.1.52] 101 FTP: R PORT=21 220 pawn Microsoft FTP Service (Version 4.0). 7 [10.0.1.52] www.arrowpoint.co 60 TCP: D=21 S=1030 ACK=2025117142 WIN=8713 8 [10.0.1.52] www.arrowpoint.co 70 FTP: C PORT=1030 USER anonymous 9 www.arrowpoint.co [10.0.1.52] 126 FTP: R PORT=21 331 Anonymous access allowed 10 [10.0.1.52] www.arrowpoint.co 60 TCP: D=21 S=1030 ACK=2025117214 WIN=8641 11 [10.0.1.52] www.arrowpoint.co 72 FTP: C PORT=1030 PASS jack@hi.com 12 www.arrowpoint.co [10.0.1.52] 103 FTP: R PORT=21 230-*****************************************<0D0D> 13 [10.0.1.52] www.arrowpoint.co 60 TCP: D=21 S=1030 ACK=2025117263 WIN=8592 14 www.arrowpoint.co [10.0.1.52] 473 FTP: R PORT=21 230-Welcome to ArrowPoint Communications Inc.<0D0D> 15 [10.0.1.52] www.arrowpoint.co 60 TCP: D=21 S=1030 ACK=2025117682 WIN=8173 16 [10.0.1.52] www.arrowpoint.co 62 FTP: C PORT=1030 TYPE I 17 www.arrowpoint.co [10.0.1.52] 74 FTP: R PORT=21 200 Type set to I. 18 [10.0.1.52] www.arrowpoint.co 60 TCP: D=21 S=1030 ACK=2025117702 WIN=8153 19 [10.0.1.52] www.arrowpoint.co 62 FTP: C PORT=1030 TYPE A 20 www.arrowpoint.co [10.0.1.52] 74 FTP: R PORT=21 200 Type set to A. 21 [10.0.1.52] www.arrowpoint.co 74 FTP: C PORT=1030 PORT 10,0,1,52,4,7 22 www.arrowpoint.co [10.0.1.52] 84 FTP: R PORT=21 200 PORT command successful. 23 [10.0.1.52] www.arrowpoint.co 60 FTP: C PORT=1030 LIST 24 www.arrowpoint.co [10.0.1.52] 107 FTP: R PORT=21 150 Opening ASCII mode data connection for /bin/ls. 25 www.arrowpoint.co [10.0.1.52] 60 TCP: D=1031 S=20 SYN SEQ=2025117177 LEN=0 WIN=8192 26 [10.0.1.52] www.arrowpoint.co 60 TCP: D=20 S=1031 SYN ACK=2025117178 SEQ=658359 LEN=0 WIN=8760 27 www.arrowpoint.co [10.0.1.52] 60 TCP: D=1031 S=20 ACK=658360 WIN=8760 28 www.arrowpoint.co [10.0.1.52] 718 FTP: R PORT=1031 Text Data 29 www.arrowpoint.co [10.0.1.52] 60 TCP: D=1031 S=20 FIN ACK=658360 SEQ=2025117842 LEN=0 WIN=8760 30 [10.0.1.52] www.arrowpoint.co 60 TCP: D=20 S=1031 ACK=2025117843 WIN=8096 31 [10.0.1.52] www.arrowpoint.co 60 TCP: D=20 S=1031 FIN ACK=2025117843 SEQ=658360 LEN=0 WIN=8096 32 www.arrowpoint.co [10.0.1.52] 60 TCP: D=1031 S=20 ACK=658361 WIN=8760 33 [10.0.1.52] www.arrowpoint.co 60 TCP: D=21 S=1030 ACK=2025117805 WIN=8050 34 www.arrowpoint.co [10.0.1.52] 78 FTP: R PORT=21 226 Transfer complete. 35 [10.0.1.52] www.arrowpoint.co 62 FTP: C PORT=1030 TYPE I 36 www.arrowpoint.co [10.0.1.52] 74 FTP: R PORT=21 200 Type set to I. 37 [10.0.1.52] www.arrowpoint.co 60 TCP: D=21 S=1030 ACK=2025117849 WIN=8006
PASV Mode FTP
-
The client issues the retrieval request.
-
The client issues the PASV command to the server, indicating that it wants the server to go to the passive mode.
-
The server sets up a listening port.
-
The server responds, letting the client know which port it is listening to for the data connection.
-
The client establishes the connection to the address indicated in the server's response to the PASV command.
This is an example of a PASV mode FTP sniffer trace:
Source Address Dest. Address Size Summary 1 [161.44.232.117] [161.44.234.42] 78 DNS: C ID=1 OP=QUERY NAME=www.arrowpoint.com 2 [161.44.234.42] [161.44.232.117] 182 DNS: R ID=1 STAT=OK NAME=www.arrowpoint.com 3 [161.44.232.117] www.arrowpoint.co 60 TCP: D=21 S=3629 SYN SEQ=120885523 LEN=0 WIN=8192 4 www.arrowpoint.co [161.44.232.117] 60 TCP: D=3629 S=21 SYN ACK=120885524 SEQ=2025248057 LEN=0 WIN=8244 5 [161.44.232.117] www.arrowpoint.co 60 TCP: D=21 S=3629 ACK=2025248058 WIN=8244 6 www.arrowpoint.co [161.44.232.117] 101 FTP: R PORT=21 220 pawn Microsoft FTP Service (Version 4.0). 7 [161.44.232.117] www.arrowpoint.co 68 FTP: C PORT=3629 USER try 8 www.arrowpoint.co [161.44.232.117] 90 FTP: R PORT=21 331 Password required for support. 9 [161.44.232.117] www.arrowpoint.co 71 FTP: C PORT=3629 PASS buggie 10 www.arrowpoint.co [161.44.232.117] 103 FTP: R PORT=21 230-*****************************************<0D0D> 11 [161.44.232.117] www.arrowpoint.co 60 TCP: D=21 S=3629 ACK=2025248190 WIN=8112 12 www.arrowpoint.co [161.44.232.117] 471 FTP: R PORT=21 230-Welcome to ArrowPoint Communications Inc.<0D0D> 13 [161.44.232.117] www.arrowpoint.co 60 FTP: C PORT=3629 PWD 14 www.arrowpoint.co [161.44.232.117] 85 FTP: R PORT=21 257 "/" is current directory. 15 [161.44.232.117] www.arrowpoint.co 60 FTP: C PORT=3629 SYST 16 www.arrowpoint.co [161.44.232.117] 82 FTP: R PORT=21 215 Windows_NT version 4.0 17 [161.44.232.117] www.arrowpoint.co 60 FTP: C PORT=3629 PASV 18 www.arrowpoint.co [161.44.232.117] 102 FTP: R PORT=21 227 Entering Passive Mode (206,25,90,84,32,89) 19 [161.44.232.117] www.arrowpoint.co 60 TCP: D=8281 S=3630 SYN SEQ=120886325 LEN=0 WIN=8192 20 www.arrowpoint.co [161.44.232.117] 60 TCP: D=3630 S=8281 SYN ACK=120886326 SEQ=2025248090 LEN=0 WIN=8244 21 [161.44.232.117] www.arrowpoint.co 60 TCP: D=8281 S=3630 ACK=2025248091 WIN=8244 22 [161.44.232.117] www.arrowpoint.co 60 TCP: D=8281 S=3630 ACK=2025248091 WIN=16384 23 [161.44.232.117] www.arrowpoint.co 60 FTP: C PORT=3629 LIST 24 www.arrowpoint.co [161.44.232.117] 108 FTP: R PORT=21 125 Data connection already open; Transfer starting. 25 www.arrowpoint.co [161.44.232.117] 718 TCP: D=3630 S=8281 ACK=120886326 SEQ=2025248091 LEN=664 WIN=8244 26 www.arrowpoint.co [161.44.232.117] 60 TCP: D=3630 S=8281 FIN ACK=120886326 SEQ=2025248755 LEN=0 WIN=8244 27 [161.44.232.117] www.arrowpoint.co 60 TCP: D=8281 S=3630 ACK=2025248091 WIN=16384 28 [161.44.232.117] www.arrowpoint.co 60 TCP: D=8281 S=3630 ACK=2025248756 WIN=15720 29 [161.44.232.117] www.arrowpoint.co 60 TCP: D=8281 S=3630 FIN ACK=2025248756 SEQ=120886326 LEN=0 WIN=15720 30 [161.44.232.117] www.arrowpoint.co 60 TCP: D=21 S=3629 ACK=2025248768 WIN=7534 31 www.arrowpoint.co [161.44.232.117] 60 TCP: D=3630 S=8281 ACK=120886327 WIN=8244 32 www.arrowpoint.co [161.44.232.117] 78 FTP: R PORT=21 226 Transfer complete. 33 [161.44.232.117] www.arrowpoint.co 60 TCP: D=21 S=3629 ACK=2025248792 WIN=7510
The default FTP mode on Internet Explorer and Netscape is PASV mode. When you FTP from the DOS prompt on a Windows-based system, PORT mode is used. Other FTP programs provide the client with a choice to use either mode.
Configuring FTP on the CSS 11000
There are two situations of concern when using FTP on the CSS 11000:
-
If users or servers behind the CSS 11000 have a private IP address and need a public IP address in order to FTP to a server on the Internet.
-
If clients from the Internet are trying to FTP to a server located behind the CSS 11000.
Each situation involves a different configuration.
Private to Public IP Address
In this situation, a source group is added to the configuration. The source group performs all the Network Address Translation (NAT) transformations. The source group is applied to both the control and data TCP sessions. The source group also changes the IP address in the data portion of the IP packet from the origin server to the source group VIP address when Active (PORT) FTP mode is being used. This can be seen from the above PORT FTP trace.
The clients or servers behind the CSS 11000 can be added through access control lists (ACLs), or they can be internal to the group. What you choose depends on whether you are using Active or Passive FTP. Active mode requires that you add the service to the source group, where Passive mode will work in either case. If you are not sure which type of FTP will be used add the service to the group and do not use ACLs to divert traffic to the source group. For Port and Passive mode FTP, this group configuration will work. If load balancing or NATing through a virtual IP, make sure to use the same VIP defined in your FTP rule.
Group FTP IP address 76.7.7.7 Add service serverA Add service serverB Active
If you need to be more granular about how the source group is applied, then you can provide this through ACLs. This does not work for passive-mode FTP.
Group FTP IP address 76.6.6.6 active ACL 1 Clause 10 permit any 10.0.0.0 255.0.0.0 destination any sourcegroup FTP Apply circuit (VLAN1)
Note: Clause 10 tells the switch to allow anyone within the 10.x.x.x subnet to apply NAT to 76.6.6.6 when conversing with the outside world. This situation may be useful if you only want to NAT servers or clients to the outside world and not apply NAT when they need to talk to other devices in the 10.x.x.x subnet.
Server Behind the CSS 11000
In this situation, you need to configure a content rule and a source group for the CSS 11000. The content rule is configured with a VIP address that the clients point at to FTP. The destined servers are added to the rule through services. This provides the NAT from public to private IP addressing.
The content rule should be configured with TCP and your FTP port (usually 21). If the port specified is not 21, the command application ftp-control is required to let the CSS know it is FTP traffic. This is required for passive FTP mode.
This is the running configuration for the above situation:
owner CSS content ftp-rule VIP address 192.3.6.58 Protocol TCP Port 21 Application ftp-control Add serv1 Add serv3 Active
A source group also has to be configured for both active and passive mode. For passive mode, the group will NAT the server ip address found in the FTP control channel payload when the server passes the ip and port information for the data connection. For active mode, it is required to NAT the source ip address of the server when this one open the data connection with the client. Just like the previous situation, the servers can be added by services in the source group or through ACLs. The running configuration for the source group might appear like the following:
Group ftp VIP address 192.3.6.58 Add service serv1 Add service serv2 Active
Related Information
Open a Support Case 
(Requires a Cisco Service Contract.)
Related Cisco Support Community Discussions
The Cisco Support Community is a forum for you to ask and answer questions, share suggestions, and collaborate with your peers.
Refer to Cisco Technical Tips Conventions for information on conventions used in this document.