FTP server cannot be accessed after NAT is configured on an AR

No matter whether intranet users access the FTP server on the public network or the IP address of the FTP server on the private network is mapped to a public IP address by a NAT server, the NAT ALG function for FTP needs to be enabled.
For example, enable the NAT ALG function for FTP as follows:
<Huawei> system-view  
[Huawei] nat alg ftp enable
Reason:
NAT and NAPT can translate only IP addresses in the IP packet header and the port numbers in the TCP/UDP header. For some special protocols such as FTP, IP addresses or port numbers may be contained in the Data field of the protocol packets. Therefore, NAT cannot translate the IP addresses or port numbers. A good way to solve the NAT issue for these special protocols is to use the application level gateway (ALG) function.
As a special translation agent for application protocols, the ALG interacts with the NAT-enabled device to establish states. It uses NAT state information to change the specific data in the Data field of IP datagram and complete other necessary work, so that application protocols can run across private and public networks.
For example, when an FTP server with a private IP address sets up a session with a host on the public network, the server may need to send its IP address to the host. NAT cannot translate this IP address because the IP address is carried in the Data field. The host on the external network then uses the private address carried in the IP packet and finds that the FTP server is unreachable.
After the NAT ALG function is enabled for an application protocol, packets of the application protocol can traverse the NAT device. Otherwise, the application protocol cannot work normally.

If the FTP server on the intranet is available and port mapping is configured, after NAT ALG is enabled for FTP, the FTP service can be used after the mapping between port and FTP is configured.

After NAT ALG is enabled for FTP, FTP packets can traverse the NAT device. Because port mapping is configured, the device does not know that packets sent from port 27 are FTP packets. Therefore, the device does not send FTP packets to the ALG, affecting the FTP service.

To solve this problem, configure the mapping between port and FTP:
[huawei] acl 2005
[huawe-acl-basic-2005]rule permit
[huawe-acl-basic-2005]quit
[huawei] port-mapping ftp  port 27 acl 2005

Scroll to top