Setting up FTP access on netscreen 5xp (passive mode)?

  • I’m using VIP and pointing a custom ftp service to, this box is where ftp serv-u resides. The port for accessing ftp is 5000 and I have configured ftp serv-u to use ports 4990-4995 for pasv connections. The problem I’m having is getting the pasv connectoins to work. My custom service for ftp on the netscreen 5xp is configured as follows:

    source: low 0, high 65535
    destination low 5000, high 5000

    I then use VIP, choosing virtual port 5000 and mapping to 5000
    (ftp custom service)

    where would i enter the port ranges for pasv connections 4990-4995
    I see under custom ftp service input screen there 8 line items where you can input port ranges. Any help would be appreciated, thank you.

  • Hi,

    I have a similar FTP issue. Scenario is i have three FTP servers for different purposes in different private subnets, all can reach FW. I have limited number of Public IP pool so wanted all three to be PAT through Netscreen VIP. I have already tested MIP individually for every FTP server & it works fine. but when i define a custom virtual port & internal service to be FTP(21). it gives me an error on my ftp client Unknown host Similarly i have 3000 & 4000 ports forwarding the same for FTP servers respective. Would appreciate guidance in the matter.


  • I know this is old - but I have a related question. I want to use the standard port for FTP - 21. But I need to be able to configure the PASV ports too. I am able to connect fine to my FTP server, on port 21, PASV works fine. However, when I use AUTH TLS, the PASV is not able to make a connection. Is my problem related to this? I am not able to configure the standard service of FTP, with extra lines of ports for PASV (1-8)

  • baseball

    Thank you so much for this information. I have been having the same problem. I had no problem setting up the PASV ftp if that was th only thing I needed forwarded but I also had VIP’s I neede too and you can’t run a VIP and MIP on the same interface. This worked perfectly and now I can set up other VIP’s too.

    Thank you so much

  • As you may no or not know, in order to connect to an ftp server wich sits
    behind a nat router from a client which also sits behind a nat router, you
    must use passive mode. e.g.,

    To receive incoming connection on 4000 for your ftp server, you would create
    a custom tcp service 4000-4000 on line 1, now in line 2, you would specify
    your passive port ranges (also known as data sockets). In this example I
    specifed 4025-4050. This means that 25 people can connect on 25 data sockets
    from port 4025 through 4050. Note the port ranges I specified here go under
    destination (low to high), keep the souce ranges the default 0 to 65535 for
    both ranges
    Now here is the kicker, you must and I repeat you must telnet into the
    netscreen router, in my case 5xp and issue the following:

    set vip multi-port [Enter]
    save [Enter]
    reset [Enter]

    without this command, the netscreen rotuer will only process the first line
    of your custom service and you will not be able to create a data connection
    with your ftp server, in other words you won’t be able to list the
    directory, get data, etc.

    I can’t tell you how many hours I spent trying to figure this out.

    p.s. very cool, now when you go to vip interface you’ll set two directional
    arrows under service ports, move your mouse over the service port and you’ll
    see a list of all the port ranges.

    yeah baby

  • I believe the only way to get passive FTP to work is use their default 21 ftp port.

    The problem is, NetScreen has an Application Layer Gateway (ALG) specially-written for FTP on the standard port. It looks for “PORT” commands and NAT’s them both at the IP layer (Layer 3) and in the Application layer (Layer 7).

    If you use a non-stanrdard FTP port, the ALG doesn’t work.

    You will need to configure your FTP server using port 21 Then configure your netscren services books entry with the port that you want the internet to user to use. Then create a VIP connection and put the 5000 in the vitural port and map it to the per-defined port 21. 😃 Hope this help.

  • I don’t understand with AGL means, could you provide a step by step example of how to incorporate pasv port ranges in my custom ftp service for port 5000. My understanding is your suppose to setup two ports for the listening:


    Ftp 4999-5000
    pasv ports 4990-4995

  • Engineer

    if you would like to make this with rule but less security, you should have the pasv port in your redirected ftp service.

    For now the ftp ALG is not able to deal with non standart ftp ports. So you should considere using standart ports to be able to use the specific FTP ALG for more secure configuration.
    However if you can’t, add the dest port 4990-4995 in your custom ftp service