FTP server cannot be accessed after NAT is configured on an AR


No matter whether intranet users access the FTP server on the public network or the IP address of the FTP server on the private network is mapped to a public IP address by a NAT server, the NAT ALG function for FTP needs to be enabled.
For example, enable the NAT ALG function for FTP as follows:
<Huawei> system-view  
[Huawei] nat alg ftp enable
NAT and NAPT can translate only IP addresses in the IP packet header and the port numbers in the TCP/UDP header. For some special protocols such as FTP, IP addresses or port numbers may be contained in the Data field of the protocol packets. Therefore, NAT cannot translate the IP addresses or port numbers. A good way to solve the NAT issue for these special protocols is to use the application level gateway (ALG) function.
As a special translation agent for application protocols, the ALG interacts with the NAT-enabled device to establish states. It uses NAT state information to change the specific data in the Data field of IP datagram and complete other necessary work, so that application protocols can run across private and public networks.
For example, when an FTP server with a private IP address sets up a session with a host on the public network, the server may need to send its IP address to the host. NAT cannot translate this IP address because the IP address is carried in the Data field. The host on the external network then uses the private address carried in the IP packet and finds that the FTP server is unreachable.
After the NAT ALG function is enabled for an application protocol, packets of the application protocol can traverse the NAT device. Otherwise, the application protocol cannot work normally.

If the FTP server on the intranet is available and port mapping is configured, after NAT ALG is enabled for FTP, the FTP service can be used after the mapping between port and FTP is configured.

After NAT ALG is enabled for FTP, FTP packets can traverse the NAT device. Because port mapping is configured, the device does not know that packets sent from port 27 are FTP packets. Therefore, the device does not send FTP packets to the ALG, affecting the FTP service.

To solve this problem, configure the mapping between port and FTP:
[huawei] acl 2005
[huawe-acl-basic-2005]rule permit
[huawei] port-mapping ftp  port 27 acl 2005

Other related questions:
Private network user and server are in the same VLAN. After NAT server is configured on the VLANIF interface, why cannot the user access the server using public address
The private network user and server are connected to the same VLANIF interface and the same subcard. After the nat server command is executed in the VLANIF interface view to map the server IP address to a public network address, the response packet sent by the server to the user cannot be sent to the CPU, so the packet address cannot be translated. As a result, the user cannot connect to the server. To solve this problem, run the nat outbound command on the VLANIF interface so that the server's response packet can be sent to the router and the packet address can be translated. The router then forwards the packet to the user. The user can connect to the server.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top