FTP and Port mapping

Hi
we get troubles with our FTP Server. The clients send a Syn with Src port 40000 then the Server replies with the the same dst port but i presume that the loadbalancer makes a port-mapping and translate the source Port to eg. 33000. Our firewall clearly drops the packet with the reason "Packet out of state". have you any idea ?
Here my config
service h01p6u_21
keepalive type tcp
keepalive port 21
ip address x.x.158.129
protocol tcp
redundant-index 11790
active
service h01p6v_21
ip address x.x.158.130
keepalive type tcp
keepalive port 21
protocol tcp
redundant-index 11800
active
content c01sg5_21
vip address x.x.x.140
add service h01p6v_21
add service h01p6u_21
port 21
protocol tcp
application ftp-control
active
!*************************** GROUP
group srg_c01sg5
vip address x.x.x.140
add service h01p6u_21
add service h01p6v_21
active

Hi Gilles
the problem that I have now is with ACTIVE FTP. I made PBR on the Loadbalancer. Passive FTP works either from the internet and from our internal network while Active FTP works only from the internet and doesn't work from our internal network. What we see is that the Loadbalancer sends the ftp-data packet out to the InternetVLAN (eg. VLAN 3605) and not to the VLAN 3603. I guess the problem is in my access-list. have you any Idea ??
My configuration
!*************************** GROUP ***************************
group srg_c01sg5
vip address x.x.152.140
add service h01p6v_21
add service h01p6u_21
active
!**************************** ACL ****************************
acl 1
clause 10 permit any x.x.172.0 255.255.255.0 destination any prefer FW_VLAN3605
clause 99 permit any any destination any
apply circuit-(VLAN3607)
acl 2
clause 10 permit any x.x.158.0 255.255.255.0 destination any prefer FW_VLAN3603
clause 99 permit any any destination any
apply circuit-(VLAN3610)
clause 15 permit any x.x.158.0 255.255.255.0 destination 10.0.0.0 255.0.0.0 prefer FW_VLAN3603
clause 20 permit any x.x.158.0 255.255.255.0 destination 138.191.0.0 255.255.0.0 prefer FW_VLAN3603
clause 25 permit any x.x.158.0 255.255.255.0 destination 192.168.251.0 255.255.255.0 prefer FW_VLAN3603
clause 30 permit any x.x.158.0 255.255.255.0 destination 192.168.250.0 255.255.255.0 prefer FW_VLAN3603
clause 35 permit any x.x.158.0 255.255.255.0 destination 192.168.0.0 255.255.0.0 prefer FW_VLAN3603
clause 40 permit any x.x.158.0 255.255.255.0 destination 172.16.0.0 255.240.0.0 prefer FW_VLAN3603
acl 10
clause 99 permit any any destination any
apply circuit-(VLAN3605)
apply circuit-(VLAN3603)
apply circuit-(VLAN2421)
apply circuit-(VLAN1)

Similar Messages

  • NAT configuration and Port Mapping for xBox

    I'm looking for help with port mapping to open up the NAT for an xBox One. I'm working with the following network devices:
    xBox One
    DSL Modem: Embarq (ZyXEL) 660R series
    Airport Extreme version 7.7.3
    I understand the following from researching the issue:
    The default settings for both devices block the ports needed for xBox Live.
    Airport Extremes are not on the compatible list for xBox.
    Port Mapping is better then creating a DMZ for the xBox.
    The xBox needs its own manually set IP address.
    I switched my Network>Router Mode from Off (Bridge Mode) to DHCP and NAT. I then created a DHCP Reservation and the Port Settings for that IP.
    After doing this, the Airport would restart and display a warning - Double NAT. I figured this was because the 660 settings showed the NAT Mode to be SUA Only. The Edit Details link displayed an empty table where you edited the SUA/NAT Server Set. I switched from NAT Mode>SUA Only to None. So there was my Double NAT and I would have thought that would have removed one.
    I also disabled the Firewall and Enabled the UPnP.
    After restarts the Airport continued to display the Double NAT error. However, with the 660's NAT Mode set to None, the Internet was not there. Web browsers and email accounts replied with server not found.
    Only with the 660 set to SUA Only and the Airport in Bridge Mode is the Internet accessible. I now have the details for the SUA filled out for the xBox's IP address and ports.
    Hypothesis
    Since both devices are acting as DHCP servers the port mapping is not working. Rather then have the 660 distribute IP addresses and then having the Airport distribute another range of numbers, I need to have both devices bridge and distribute one range of numbers. Currently the 660 is using the 192.168 range and the Airport is using the 10.0 range.
    Am I correct? Any thoughts and suggestions are welcome.

    Port forwarding through a double NAT.. is near impossible.. !!
    And the xbox is so attuned to using UPNP it is very hard not to.. even port mapping is not a great fix. Since apple decided gamers did not count as users for Airports.. I think honestly it is best to bypass the airport and stick to upnp from the modem router.
    What method of authentication does your ISP use? Because it is really better to use one router.
    And in fact the router should be the Zyxel. If you plug the Xbox to the Zyxel running in full router mode, with the airport removed from the network does it work and open NAT??
    If not replace the Zyxel with a modern listed router that is xbox compatible and bridge the airport to it.

  • Default Host (DMZ) and Port Mapping together

    Hi all,
    I have the G5 set as a default host for all my web services through the Airport Extreme.
    In the Airport Extreme's Port Mapping tab, a user is not prevented from using the port mapping tab even when the Default host is set. I want to serve video through another port not on the G5.
    Does this mean I can set up port mapping for ports I do not want to go to the default host? (my G5 in this case)
    I asked this on the airport forum and never got an answer, maybe you G5 folks might know. (Or maybe there is a setting that will redirect from the G5.)
    Thanks in advance,
    Jamy

    I figured it out. I can't have a DMZ and separately port mapping on the Airport.

  • WRT54G - IP and Port mapping problems

    I'll set the scenario first so you can understand what i'm trying to do. I have a D-Link 524 configured trough PPoE to get access to internet. It has DHCP enabled (from 192.168.0.100 to .199). I had static ip configured in the D-Link router as 192.168.0.90 and some ports forwarded to my pc that's like 50 meters away from the router, in other office. The thing is, I added a WRT54G v6 router cause the wireless signal from the d-link didn't reach where I am, and some people needed to use it. So, I plugged my pc to the WRT54G, and the linksys to the D-Link. No, my problem is, I no longer have the static ip that the d-link assigned me (the linksys uses the 192.168.1.X range, and the d-link the 192.168.0.X range). Now, if I release my MAC address from the D-link and assing a static ip in the WRT54G, I could fordward the ports I had before in the d-link but in the linksys. The thing is, I can't find a way to assing a static ip in the linksys. And I tried to change the range of ip from the linksys to 192.168.0.X so I can still use the assigned address from the d-link but it didn't work, I couldn't access the linksys neither the d-link after changing the address, didn't get internet either, so i had to reset the linksys. After all of this... what the hell do I do Azureus can't connect, or any other P2P app for that matter (cause I had the ports forwarded in the other router, and I can't forward them in the linksys cause I get a dynamic local ip, if I forward them to, say 192.168.1.100 and some day I get assigned 192.168.1.101... well, I assume it won't work as expected)

    The WRT54G does not assign fixed IP addresses through DHCP. You have to set a static IP address on the computer itself instead of using DHCP.
    I would, however, recommend not to use the WRT as router but only as simple access point. Instructions are here. Set a LAN IP address like 192.168.0.2 on the WRT to keep it accessible inside your normal LAN. I think this setup will solve all your problems. You can still use the fixed IP address assignment from the DHCP server on the D-Link and you only have to configure a single port forwarding on the D-Link (instead of two which would be necessary if you connect the Linksys router through its internet port to the D-Link).
    With two access points you can create a roaming network by using the identical wireless settings on both routers (SSID, wireless security, wireless mode). Channels should be different and at least 5 apart. SSID broadcast should be enabled on both. Now most wireless clients are able to move between both access points without loosing the connection.
    Message Edited by gv on 06-01-2008 02:22 PM

  • Port Mapping is not working ?

    First of all, sorry for my bad english as it is not my primary language.
    So my problem is that I play Warcraft 3 and that I would like to host some games. To be able to host, I have to do port mapping for the ports : 6112-6119, which I did in the Airport Utility --> Advanced --> Port Mapping. I did it for every port 6112, 6113, etc. But the thing is that when I go on this website: http://www.whatsmyip.org/ports/games/ (Which is a website that tells me what ports are open on my computer), only port 6112 is open. Ports 6113-6119 are closed. Before my Airport Extreme, I had a Linksys and I had no problems with hosting and port mapping, which means it is not my ISP that is blocking the ports.
    Also this is the setup of my internet if it can help. I have an AirPort Extreme wich is connected to the modem in my basement (I did the port mapping on this one) . From this Airport Extreme, I have another Airport Extreme connected to it. I am connected to the second Airport Extreme in bridge mode with ethernet.
    I don't know if this was clear or not lol. Anyway I would appreciate any help. Thank You !

    This is just a guess, but if you still have that AirPort Extreme, you might plug it in long enough to have AirPort Utility do a File >Export Configuration File, then reconnect the Time Capsule and do a File > Import Configuration File.  Once that's done you may have to do a little adjustment to account for the disk drive.

  • Enabling ports / port mapping for FTP

    Greetings! I have an iMac G5 (Tiger) connected to the internet via an Airport Express. Connected to the Airport is a DSL modem. The Airport uses a static IP for internet access via the DSL modem.
    I've enabled FTP services on the G5, and am trying to figure out how to map the appropriate ports to allow FTP access remotely from the internet. I assume I would need to use the static IP with the remote FTP client, then the Airport would route the request to the iMac using port mapping... correct, or incorrect? How, specifically, should this be set up? ie... what ports need opening, routed to where, etc.
    Thx!
    J

    http://discussions.apple.com/thread.jspa?threadID=121828

  • FTP & Port Mapping?

    Ok, I'm pretty new to wireless networking but I have a pretty good grasp of it all. I just have one question about Port Mapping and security. I have to open port 21 on Port Mapping in order for me to use FTP to upload files to my webspace. My question is how safe is it to leave that port open all the time? Or should I continue to close the port after everytime I upload? That's fine but it takes so long to update the Express with the new settings and reset. Kind of a pain.
    Anyway, if anyone has an opinion or suggestion for this then it would be greatly appreciated!

    Thanks for the quick reply and information Henry!
    Well, I guess I would be at minor risk since I don't have my OS X firewall enabled. I just figured that the Express was a better firewall. But if you start punching holes in the wall then it becomes less secure. Hmm.... I guess I would have to enable the OS X firewall then if I want to leave the port mapping enabled on the Express. And just enable FTP access through the OS X firewall when needed.
    Of course I have good password protection on the FTP server but then again I would have the port wide open too.
    Anyway.... thanks again for your help! It definitely helps me put things in order with what I need to do.

  • Port Mapping Filezilla FTP Server

    I just got a new AirPort Extreme Base Station (802.11n). I must say, I'm pleased for the most part. I'm having an issue with remotely connecting to my FTP server inside the network though.
    Setup:
    The whole this is connected as follows:
    Cable Modem - AEBS - Wired Windows PC
    On this windows PC I run an FTP & HTTP server. Both are functioning properly as they always have, both on the localhost and within the network.
    The HTTP protocol is working fine. I have port 80 mapped to my PC's static IP of 10.0.1.100. I can browse my hosted site from a remote PC no problem.
    Yet, from a remote PC I am unable to fully establish FTP communication. I have port 21 mapped to my PC's static IP as well. Communication seems to be happening; the remote PC gets prompted for their username and password. Shortly after (within a timeout time), the FTP server replies that it cannout open the data channel.
    Data:
    Here is the Remote PC's log of the FTP session:
    Status: Connecting to $server.com ...
    Status: Connected with $server.com. Waiting for welcome message...
    Response: 220 $greeting
    Command: USER $username
    Response: 331 Password required for dave
    Command: PASS $pass**
    Response: 230 Logged on
    Command: SYST
    Response: 215 UNIX emulated by FileZilla
    Command: FEAT
    Response: 211-Features:
    Response: MDTM
    Response: REST STREAM
    Response: SIZE
    Response: MLST type;size*;modify;
    Response: MLSD
    Response: UTF8
    Response: CLNT
    Response: 211 End
    Status: Connected
    Status: Retrieving directory listing...
    Command: PWD
    Response: 257 "/" is current directory.
    Command: TYPE A
    Response: 200 Type set to A
    Command: PASV
    Response: 227 Entering Passive Mode (10,0,1,100,16,141)
    Command: LIST
    Response: 425 Can't open data connection.
    Error: Could not retrieve directory listing
    Solutions Attempts:
    I have tried mapping the FTP data port (20) to the server's static IP to no avail. I even went as far as setting the server as the default host (DMZ); this didn't work either.
    Am I looking at a fresh firmware bug here or am I missing anything? Thanks for your help.
    P.S. No changes have been made on the server and every other no name router I've used has successfully port mapped the server; it's definitely the new hardware.
    Windows PC Windows XP Pro
    Windows PC   Windows XP Pro  

    1. Try to connect to your FTP-Server in AKTIVE-Mode,
    it's a setting in your FTP-Client
    Most all FTP clients are defaulted to passive mode, and I want to connect without asking all users to change their settings.
    Previous routers did not require anything like this, why would this new base station obfuscate the setup?
    2. Don't use the same AirportXtrem internet
    connection (for testing your FTP-Service) where is
    your FTP-Server behind. I don't know why, when I try
    to establish a connection I could not go out and come
    back through my AXtrem on the same way.
    Try it with a Modem, UMTS or with another internet
    connection.
    I don't know exactly what you're talking about. Please explain better or with more details.
    Windows PC Windows XP Pro

  • I am being told that "Back to Mac" isn't working because NAT Port Mapping is turned off on my router. What does that mean and how do I fix it?

    I am being told that "Back to Mac" isn't working because NAT Port Mapping is turned off on my router. What does that mean and how do I fix it?

    AirPort Utility is in your Utilities folder:

  • Port Mapping and Having Others See My Filemaker Database!

    Hi Group. I am very frustrated and new to this so any help would be appreciated.
    I have Airport Extreme (the one that came out about 2 years ago), and was told by Filemaker Staff to do port mapping on this router, using 16008 to 16018 in the public port mapping which I did. No luck. Nothing is viewable remotely.
    Then turned on Personal Web Sharing. No luck.
    Then an Apple guy suggested in port mapping, instead of putting 16008-16018 as"public ports", I should put this number as private ports and put the recommende Filemaker 590 as the public port in the port mapping section.
    Still no luck. I can see the Filemaker database just fine when I add localhost:590/fmi/iwp, but each time when I had a friend try to use the router IP address 67.161.74.142:590/fmi/iwp, still there is nothing of it that people can see (not found message).
    I have Comcast service as my IP and don't know what else to try? Help!!!
    Thank you all.
    Cheerios
    mac G5 Mac OS X (10.4.9)

    Hi Cheerios,
    I'm having the same difficulty (and the same discussion with the tech people at FM). I've tried to map the ports (16008-16018) on my airport extreme (sounds like a similar model to the one you have), but when I do a port scan the ports are not listed.
    Did you ever figure this out?

  • Programatically determine port and COM mapping

    Hello all,
    Please let me know the method of programatically determining the port and COMx mapping using labwindows CVI. I mean to ask which port referes to which COM or which resource(like ASRL1). I am using NI PCI 8433 card.
    Thanks in advance.
    Sri Vidya

    Hi,
    using the Search function of this forum (e.g. serial port) will uncover the following thread with a nice code by msaxon:
    http://forums.ni.com/t5/LabWindows-CVI/What-CVI-functions-do-I-need-to-use-in-order-to-check-the/m-p...

  • HT1552 Im setting up a server with the port 25565 and im doing it with Port Map but the problwem is i cant seem to get it to work with my router. it goes through my macmini to the router and the expansion hardrive

    Im setting up a server with the port 25565 and im doing it with Port Map but the problwem is i cant seem to get it to work with my router. it goes through my macmini to the router and the expansion hardrive

    Im setting up a server with the port 25565 and im doing it with Port Map but the problwem is i cant seem to get it to work with my router. it goes through my macmini to the router and the expansion hardrive

  • I have airport extreme and just purchased a D-Link DCS-932L home network camera.  D-Link says I need UpNp but the extreme doesn't support this.  Can I use port mapping?  if so anyone know how to set that up?  thanks

    I have airport extreme and just purchased a D-Link DCS-932L home network camera.  D-Link says I need UpNp but the extreme doesn't support this.  Can I use port mapping?  if so anyone know how to set that up?  thanks

    Since the D-Link DCS-932L is accessible on the local network via a web browser, you should be able to access this camera from the Internet if your router has a publically accessible Public IP address. If your ISP provides you with a dynamic Public IP address, you may want to use a DDNS service to make it easier for you to locate your camera whenever your ISP changes your IP address.
    Start the AirPort Utility > Select the 802.11n AirPort Extreme Base Station (AEBSn).
    Select Manual Setup.
    Verify that Connection Sharing = Share a public IP address is selected on the Internet > Internet Connection tab.
    Select Advanced, and then, select the Port Mapping tab.
    Click the plus sign to add a new port mapping.
    For Service, leave the default; this will change to "Custom" once you start entering port values.
    In the Public UDP Port(s) and Public TCP Port(s) boxes, type in a 4-digit port number (e.g., 8888) that you choose. In the Private IP Address box, type the internal IP address of your camera. In the Private UDP Port(s) and Private TCP Port(s) boxes, enter the appropriate port values that should have been provided to you by the camera manufacturer. Click Continue.
    In the Description box, type a descriptive name like "Internet Camera Access," and then, click Done.
    Click on Update.
    To connect to the shared Camera from a remote location using a Mac or PC:
    Start your favorite web browser.
    Enter either your Public IP address or DDNS-provided Domain Name, followed by a colon and the Public port number that you choose in step 7 of the previous procedure. For example: http://123.123.123.123:8888 or http://www.mydtdnsdomainname.com:8888

  • Mapping Yamaha DTXplorer in logic pro - Environment window clicks and Ports

    The midi signals for Yamaha DTXplorer are off from GM. The snare (G0) and bass drum (A0) output notes do not trigger snare (D1) and bass drum (C1).
    I am a novice to both MAC and Logic Pro.
    I have the midi out of the drumset going USB right into my MAC.
    I've gotten as far as...
    1. Environment window>clicks and Ports
    2. Verifying the channels that DTX triggers for snare and bass drum.
    3. Changing the output notes to D1 & C1.
    Nothing changes with the sound.
    In fact, I can change the output notes for drums that are set up correctly and they don't change either.
    None of the alterations I do in the Environment window seem to do anything to the midi signals!
    Do I need to activate or save the changes? If so, how (precisely)?
    Thanks in advance.

    You can do that from within the app, under menu Logic Pro X;
    Regards

  • Port Mapping and DHCP...

    Really sorry if this has been asked.. I feel kinda stupid actually but;
    I have port mapping set up... working fine... all incoming traffic to my public IP goes to my iBook on 192.168.1.2
    but now... the iBook's IP is 192.168.1.3 so I had to update the port mapping to suit this IP
    Is there anyway I can make the Airport hand out 192.168.1.2 to the iBook everytime based on it's MAC address ? My old router used to be able to do this.

    You should configure the iBook to use a manual IP address outside the range used by the AEBS's DHCP server. The default range used by the AEBS's DHCP server is x.y.z.2 to x.y.z.200. So you would want to configure your iBook to use a manual IP address of 192.168.1.202 (for example).
    Configure the port mapping to map to that address.

Maybe you are looking for

  • I bought a TV show through my ATV2 but can not see the purchase in iTunes nor watch it on my computer...why?

    I recently purchased a TV series through my Apple TV2 and can access this purchase on my iPod no problem.  However, in iTunes on my laptopwhen I go to TV "Purchases" I do not see anything listed to be able to download to my laptop.  The only workarou

  • Why are my videos no longer showing up in playlists after iOS 5 upgrade?

    Hi there, In the past, all I need to do to view my video playlist was to use the iPod app. However, after the iOS 5 update, it appears that the iPod app is gone and its closest equivalent is the music app, which does not list any of my videos that I

  • Video levels how to

    i am frustrated here because i opened the audio panel and it appears for can make instant on-the-fly adjustments of your audio.  so now i'm trying to just tweak the whole video portion of my clip.  i keep trying to drag the video effect to the clip o

  • AWM 10.2.0.1 - I can not choosing Value Based hierarchy

    I have Oracle client 10.2.0.1 software with AWM 10.2.0.1 . I want to build a dimension with value-based hierarchy . In AWM I have hierarchy editor with the two radio buttons for choosing type of hierachy : Level Based hierarchy and Value Based hierar

  • MAJOR Lightroom problem (blue on every image)

    The image above says it all, EVERYTHING is blue in my whole catalog. Not a preset, I tried loading my backups to no avail. How do I fix this? The original images are of course without any issues. It seems to only show the blue channel but have no clu