Meraki

Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

FTP active outbound connection from MX64 LAN clients

Solved
davymartu
Conversationalist
‎Oct 20 2022 12:51 AM
‎Oct 20 2022 12:51 AM

FTP active outbound connection from MX64 LAN clients

Hi guys,

I've Meraki MX64 FW version 16.16 and we have a problem connecting to an external public FTP server through ftp command of windows.

Outbound connection from LAN of Meraki on port 21 of external FTP server connects successfully but data connection doesn't work (if I type DIR the connection hangs).
I know that FTP passive mode isn't supported by ftp.exe windows client and also that passive mode can be activated on external FTP server, but I don't have control on external FTP server.

I read that outbound connection of this type requires a particular NAT traversal implementation (in ex. ALG ).
Does MX NAT supports correctly fix up NAT for active mode connections to allow the return traffic?

Thanks in advance

Davide

Labels:
0 Kudos
1 Accepted Solution
KarstenI
Kind of a big deal
Kind of a big deal
‎Oct 20 2022 1:21 AM
‎Oct 20 2022 1:21 AM

There is no "NAT Fixup" on the MX. You need to change to either passive mode or a different protocol. Using plain FTP is a little bit like the 80th. Yes, the music was better, but not the typically used protocols.

View solution in original post

6 Replies 6
KarstenI
Kind of a big deal
Kind of a big deal
‎Oct 20 2022 1:21 AM
‎Oct 20 2022 1:21 AM

There is no "NAT Fixup" on the MX. You need to change to either passive mode or a different protocol. Using plain FTP is a little bit like the 80th. Yes, the music was better, but not the typically used protocols.

davymartu
Conversationalist
‎Oct 20 2022 1:48 AM
‎Oct 20 2022 1:48 AM

Hi @KarstenI , thanks for your nice response 🤣
I thought that MX has a particular feature like this but I agree with you that plain FTP is an "old" protocol but a lot of systems still using it.
I tried with firewall of other vendors and the majority of these give you a choiche for using this "old" protocol.
I think that give to the users a choice is better than judge what is "new" "old" "worst" or "better".
Thanks

0 Kudos
In response to davymartu
KarstenI
Kind of a big deal
Kind of a big deal
‎Oct 20 2022 1:57 AM
‎Oct 20 2022 1:57 AM

I assume it was a pure business decision not to implement fixups like how they are available for example on the ASA. And yes, I also have customers still using FTP. But many of them moved to other protocols when migrating the firewalls to Meraki MX. Most of them now use file shares based on HTTPS (like https://www.directorylister.com), some moved to Cerberus (https://www.cerberusftp.com). But these were always servers hosted by the customers. When being a client, they just used client apps that supported passive mode.

PhilipDAth
Kind of a big deal
Kind of a big deal
‎Oct 20 2022 12:30 PM
‎Oct 20 2022 12:30 PM

FileZilla is free, has a command line, and supports passive FTP ...

0 Kudos
BlakeRichardson
Kind of a big deal
Kind of a big deal
‎Oct 20 2022 12:36 PM
‎Oct 20 2022 12:36 PM

Just because systems still have it doesn't mean you should use it, Windows still supports SMB v1 which is incredibly insecure but I wouldn't use it. 

davymartu
Conversationalist
‎Oct 24 2022 12:52 AM
‎Oct 24 2022 12:52 AM

Thanks to all for responses. Unfortunately this FTP Server is not ours. But I have suggested to our partner to move at another file transfer solution (like SFTP). Thanks to @KarstenI for you suggestion, DirectoryListener is a great project for this approach. 

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.