Premise PBX behind nat
I am using FTP for provisioning of Mitel phones which are remote (using TLS/SRTP).
Firewall has FTP port 21 open.
FTP server config looks like below. FTP server was enabled via system admin gui.
anonymous_enable=no
local_enable=YES
write_enable=YES
guest_enable=YES
local_umask=0133
file_open_mode=0777
xferlog_enable=YES
connect_from_port_20=YES
xferlog_file=/var/log/xferlog
xferlog_std_format=YES
async_abor_enable=YES
listen=YES
pam_service_name=vsftpd.freepbx
tcp_wrappers=YES
max_clients=20
max_per_ip=5
userlist_deny=no
local_root=/tftpboot
dual_log_enable=yes
virtual_use_local_privs=yes
Phone are able to connect to the ftp server but don’t get the config files. FTP logs look like below.
Tue Mar 5 14:11:56 2019 [pid 3114] [ftpuser] OK LOGIN: Client “73.242.xx.xx”
Tue Mar 5 14:12:07 2019 [pid 3219] CONNECT: Client “73.242.xx.xx”
Tue Mar 5 14:12:07 2019 [pid 3218] [ftpuser] OK LOGIN: Client “73.242.xx.xx”
Tue Mar 5 14:12:18 2019 [pid 3304] CONNECT: Client “73.242.xx.xx”
Tue Mar 5 14:12:18 2019 [pid 3303] [ftpuser] OK LOGIN: Client “73.242.xx.xx”
Tue Mar 5 14:12:31 2019 [pid 3451] CONNECT: Client “73.242.xx.xx”
Tue Mar 5 14:12:31 2019 [pid 3450] [ftpuser] OK LOGIN: Client “73.242.xx.xx”
Tue Mar 5 14:12:41 2019 [pid 3559] CONNECT: Client “73.242.xx.xx”
Tue Mar 5 14:12:42 2019 [pid 3558] [ftpuser] OK LOGIN: Client “73.242.xx.xx”
Tue Mar 5 14:12:52 2019 [pid 3664] CONNECT: Client “73.242.xx.xx”
Tue Mar 5 14:12:52 2019 [pid 3663] [ftpuser] OK LOGIN: Client “73.242.xx.xx”
Tue Mar 5 14:13:05 2019 [pid 3766] CONNECT: Client “73.242.xx.xx”
Tue Mar 5 14:13:05 2019 [pid 3765] [ftpuser] OK LOGIN: Client “73.242.xx.xx”
It is not able to retrieve any of the config files or the SSL certificate.
Firewall logs show:
Server sent passive reply with unroutable address 192.168.20.20 (internal address of pbx).
When the ftp server is behind nat, do we have to setup a passive ftp connection or active? What ports need to be open in the firewall. What is causing this issue?
Thanks.