If you intend to run an internet facing FTP server you have 2 options for FTP, active or passive. The easiest option for an FTP server administrator is the active mode. In active mode the client makes a connection to the server on port 21. The server then makes an outbound connection on port 20 to the client on a random port (>1023) for data transfer. So for the FTP server administrator the only port redirection required is port 21, and firewall access required is port 21 inbound and 20 outbound. While this is great for the FTP Server admin your clients will most likely fail to achieve any data transfer. This is because most clients will have some form of firewall in place which will prevent the server from making the connection to the random port.
So the best mode to run the server is in passive mode. Passive mode works by the client once again making a connection to port 21 on the Server. Then for data transfers the client makes a data connection to the FTP Server using a random port (> 1023). This mode is great for the client because they don’t have to worry about inbound connections and firewall restrictions. BUT this mode does create a problem for the FTP Server admin because we now need to punch a big hole in our firewall for random inbound connections to the FTP Server.
To minimise the impact as administrator you can specify and limit the number and range of ports used by the IIS FTP Service. The following command will assign ports 5500 – 5520 for passive FTP use.
cscript adsutil.vbs set /MSFTPSVC/PassivePortRange “5500-5520”
The number of ports you open will depend on how busy your FTP server is and how many simultaneous connections you wish to allow.
The next step is to open those ports on the cisco router and redirect them via NAT to your FTP server. As you may be aware the command to redirect an inbound port to an internal ip address on a cisco router is the “ip nat inside source static” command. Using this method you must enter a ip nat inside… command for every port you want to forward. Now in the example above of 20 ports that’s not so bad but imagine doing that for 1000 ports.
A simple and much better solution is to use an ip nat pool. Let’s say our internal FTP server has an ip address of 192.168.1.10 and our external ip address is 203.1.2.3 . The first step is to issue the following command:
ip nat pool ftp 192.168.1.10 192.168.1.10 netmask 255.255.255.0 type rotary
That setup a nat pool called ftp with just our server in it. Next we need to create an access which permits inbound connections on the port range required.
access-list 100 permit tcp any host 203.1.2.3 range 5500 5520
The final step is to forward the access list hits to our ftp pool with this command
ip nat inside destination list 100 pool ftp
Using this method we can forward any range of ports on a Cisco router to a single server with just 3 commands.