FTP active outbound connection from MX64 LAN clients

Solved
davymartu
Conversationalist

FTP active outbound connection from MX64 LAN clients

Hi guys,

I've Meraki MX64 FW version 16.16 and we have a problem connecting to an external public FTP server through ftp command of windows.

Outbound connection from LAN of Meraki on port 21 of external FTP server connects successfully but data connection doesn't work (if I type DIR the connection hangs).
I know that FTP passive mode isn't supported by ftp.exe windows client and also that passive mode can be activated on external FTP server, but I don't have control on external FTP server.

I read that outbound connection of this type requires a particular NAT traversal implementation (in ex. ALG ).
Does MX NAT supports correctly fix up NAT for active mode connections to allow the return traffic?

Thanks in advance

Davide

1 Accepted Solution
KarstenI
Kind of a big deal
Kind of a big deal

There is no "NAT Fixup" on the MX. You need to change to either passive mode or a different protocol. Using plain FTP is a little bit like the 80th. Yes, the music was better, but not the typically used protocols.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.

View solution in original post

6 Replies 6
KarstenI
Kind of a big deal
Kind of a big deal

There is no "NAT Fixup" on the MX. You need to change to either passive mode or a different protocol. Using plain FTP is a little bit like the 80th. Yes, the music was better, but not the typically used protocols.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
davymartu
Conversationalist

Hi @KarstenI , thanks for your nice response 🤣
I thought that MX has a particular feature like this but I agree with you that plain FTP is an "old" protocol but a lot of systems still using it.
I tried with firewall of other vendors and the majority of these give you a choiche for using this "old" protocol.
I think that give to the users a choice is better than judge what is "new" "old" "worst" or "better".
Thanks

KarstenI
Kind of a big deal
Kind of a big deal

I assume it was a pure business decision not to implement fixups like how they are available for example on the ASA. And yes, I also have customers still using FTP. But many of them moved to other protocols when migrating the firewalls to Meraki MX. Most of them now use file shares based on HTTPS (like https://www.directorylister.com), some moved to Cerberus (https://www.cerberusftp.com). But these were always servers hosted by the customers. When being a client, they just used client apps that supported passive mode.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
PhilipDAth
Kind of a big deal
Kind of a big deal

FileZilla is free, has a command line, and supports passive FTP ...

BlakeRichardson
Kind of a big deal
Kind of a big deal

Just because systems still have it doesn't mean you should use it, Windows still supports SMB v1 which is incredibly insecure but I wouldn't use it. 

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
davymartu
Conversationalist

Thanks to all for responses. Unfortunately this FTP Server is not ours. But I have suggested to our partner to move at another file transfer solution (like SFTP). Thanks to @KarstenI for you suggestion, DirectoryListener is a great project for this approach. 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels