Hi, i wonder if VyOs can inspect outgoing active ftp packetes?
The exact scenrio is that we have an application running on Amazon AWS that creates an outgoing ACTIVE ftp connection to ab ftp server. This does not work.
On AWS it is not possible to set an public ip addres directy on an network interfacek, witch could have solved it. Our on-premises Cisco ASA5500 solves this by inspecting the ftp packets.
An Virtual ASA is too expensive for our scenario.
Could VyOS solve this?
Hi,
you need to forward port range used for data to your ftp client machine,
that is if i understood correctly problem
Yes, i wish:)
When the software tries to create an active ftp connection, it sends the ftp packets out to the world with the ip address of the network interface of the windows server as the source of the packetes. For example 192.168.1.10. The ftp server then try to reply to this address, which of course does not work.
Our old Cisco ASA solves this by doing ftp packet inspection, and changes the reply address to the ip address of the wan interface of the ASA.
Ofcourse this is poorly designed software, but that i cannot fix.
Basically,
it’s should not be a problem, i think you need to NAT ftp traffic on VyOS (and second NAT will be done by AWS itself)
can you do some drawing about current traffic flow, it hard to suggest blindly