LISTSERV - HP3000-L Archives

HP3000-L Archives

October 2005, Week 4

HP3000-L@RAVEN.UTC.EDU

	LISTSERV Archives
	HP3000-L Home
	HP3000-L October 2005, Week 4

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: Connecting Two Lans To The 3000
From:	Jeff Kell <[log in to unmask]>
Reply To:	Jeff Kell <[log in to unmask]>
Date:	Wed, 26 Oct 2005 14:59:50 -0400
Content-Type:	text/plain
Parts/Attachments:	text/plain (50 lines)

Wirt Atmar wrote:
> Jeff writes:
> 
>>Passive won't work either if the server is behind NAT as well.
> 
> But a NAT/PAT (port address translation) combination will. Here's how we do 
> it using our simple Cisco 678 router

Bzzzttt.  Cisco NAT is application-aware of FTP.

> Network Address Translation is predominantly application-independent,
> with the exception of FTP. However, the Cisco implementation of NAT
> fully supports full-rate FTP. Applications that include IP addresses
> within the packet payload will fail without special NAT-wise
> consideration.

--- http://tinyurl.com/cqf2q (Cisco Broadband Operating System User Guide)

Without application-aware NAT, it won't work.  Let me try some ASCII art:

           CLIENT                                 SERVER
local 192.168.1.5 "DIR" (ls -l)   ->    local 172.16.1.5

Active FTP (client wants listing sent to port 1030):
   "PORT 192,168,1,5,4,6"         ->    local 172.16.1.5
   listens on 1030                <-    connects to 192.168.1.5:1030
   receives listing               <->   sends listing

Passive FTP (client asks server where to pick up listing)
   waits on response              <-    "PORT 172,16,1,5,4,6"
                                  <-    listens on 1030
   connects to 1030               <->   sends listing

Now confuse this with (non-application-aware) NAT on either side of the equation (or both):

local 192.168.1.5 = 192.0.2.5     ->    public 192.1.2.5 = 172.16.1.5

The actual exchange is taking place between 192.0.2.5 and 192.1.2.5 at layer 3, but *nothing* changes in the "PORT" information.

If ONLY the client is behind NAT, passive mode will work (PORT info goes from server back to client, and the proper public IP is in the PORT command); but active mode will not (PORT goes from client to server, and PORT command will have the private IP).

The converse is true if ONLY the server is behind NAT, and obviously, nothing will work if both are behind NAT.

Application-aware NAT will actually rewrite the PORT commands to reflect the address changes at the application level as well as the network level.  Since this is a great deal more complicated than simple network NAT (requires packet payload inspection), it is often missing or disabled.

Jeff

* To join/leave the list, search archives, change list settings, *
* etc., please visit http://raven.utc.edu/archives/hp3000-l.html *

ATOM RSS1 RSS2

RAVEN.UTC.EDU