If you are forced to use FTP, please follow this instruction to configure NAT and Firewall. If you are faced with a non-working FTP service after migration to NSX-T, please correct the settings using the instructions below.

FTP Active mode

Example: FTP client(212.164.39.225) is to download/upload files to FTP server(vsftpd, 192.168.50.2) which is placed in vDC behind NAT and FW on NSX-T EDGE(119.252.94.29)

Open

Connection flow diagram for FTP active mode

You can see that FTP uses TCP ports 21 and 20 on below TCP trace:

Open

TCP DUMP on FTP server - login process

As a result you must have the following configuration:

• Incoming TCP ports 20 and 21 are open in firewall for your Public IP address.

• Outgoing connections are allowed for your Private Network/IP Address of FTP server

• DNAT for TCP ports 20 and 21 are configured

• SNAT is configured for your Private Network/IP Address of FTP server

FTP Passive mode

Example: FTP client(212.164.39.225) uses download/upload files to FTP server(vsftpd) in passive mode(192.168.50.2) placed in vDC behind NAT and FW on NSX-T EDGE(119.252.94.29)

You can see that FTP uses TCP ports 21 and 20 and some Dynamic ports on the below TCP trace:

As a result you must have following configuration:

• Incoming TCP ports 21 and passive FTP ports are open in firewall for your Public IP (range of IP Addreses of FTP server you must configure in FTP server config)

• Outgoing connections are open for your Private Network/IP Address of FTP server

• DNAT for any TCP ports are configured for the Private Network/IP Address of FTP server(1:1 DNAT)

• SNAT is configured for your Private Network/IP Address of FTP server