USG3040 for version problem, the domain NAT FTP function is not normal

Publication Date:  2012-11-06 Views:  297 Downloads:  0
Issue Description

 key configuration:      [USG3000]nat server protocol tcp global 2121 inside 21
                                      [USG3000-zone-trust]nat 2000 address-group 1

Software type: USG3040 V100R002
Problem phenomenon: 1. Users did a “NAT-SERVER’ port mapping (the external network 2121 mapping the 21 port of internal network) a FTP SERVER of internal network, and at the same time also did domain NAT function, “NAT-SERVER” function is normal.
1. Domain NAT is not normal, PC end can't use the FTP passive mode access to FTP SERVER, active mode is normal, if change the NAT-SERVER mapping to 21 port mapping 21 port, they are all normal

Alarm Information
Handling Process
When checking the USG session table, found it appears passive IP phenomenon in the session table at the second stage of the FTP consultation, it is V1R2 version software problems, after change the version to V1R1, normal. 
Root Cause
1. Check the filtering strategy, normal.
2. Check the domain NAT configuration, normal.
3. Check the FTP-SERVER, in the PC directly access to FTP-SERVER and internal network IP, normal
4. Doubt it is USG software version problem
USG3000V1R2 version has only a few more functions such as IPS, if not use these functions, suggest using V1R1 version, for the stability of the V1R1 must be better.