Juniper ACX1000 Configuration Manual page 1072

ACX Series Universal Access Router Configuration Guide
1014
There is an additional complication: FTP represents these addresses and port numbers
in ASCII. As a result, when addresses and ports are rewritten, the TCP sequence number
might be changed, and thereafter the NAT service needs to maintain this delta in SEQ
and ACK numbers by performing sequence NAT on all subsequent packets.
Support for stateful firewall and NAT services requires that you configure the FTP ALG
on TCP port 21 to enable the FTP control protocol. The ALG performs the following tasks:
Automatically allocates data ports and firewall permissions for dynamic data
connection
Creates flows for the dynamically negotiated data connection
Monitors the control connection in both active and passive modes
Rewrites the control packets with the appropriate NAT address and port information
On ACX500, for passive FTP to work properly without FTP application layer gateway
(ALG) enabled (by not specifying the
nat rule rule-name term term-name from]
pooling paired (APP) functionality enabled (by including the
at the [edit services nat rule rule-name term term-name then translated]
Such a configuration causes the data and control FTP sessions to receive the same NAT
address.
The following is an example for configuring FTP ALG:
Creating NAT interface.
1.
[edit]
services {
service-set set-ftp {
nat-rules nat-ftp;
interface-service {
service-interface ms-0/2/0;
}
}
Configuring NAT pool.
2.
[edit]
services {
nat {
pool p-napt {
address 30.30.30.0/24;
port {
range low 9000 high 9010;
}
}
}
Defining NAT rules for FTP ALG.
3.
[edit]
services {
application junos-ftp statement at the
hierarchy level), you must enable the address
address-pooling
Copyright © 2017, Juniper Networks, Inc.
[edit services
statement
hierarchy level).