Nat – Active FTP in Meraki

Cisco maintains documentation for this type of thing. It takes about 2 seconds to locate the specific document on how to do this. Active and Passive FTP Overview and Configuration:

Active FTP Overview

An active FTP session involves the following steps:

1. The client sends the PORT command to an FTP server. The source port is a random, high-numbered port. The destination port is 21.
2. The server responds with an ACK.
3. The server initiates a connection to the client with source port 20 and the destination port specified in the client’s PORT command.
4. The client sends an ACK to the server. The FTP session has now been established. Client firewalls are often configured to block incoming connections. This causes step 3 of the above process to fail, as shown below:

MX Configuration for Active FTP

Configuration for active FTP on an MX appliance is a simple process. Firewall rules must be constructed to allow inbound connections on port 21 and 20. Additional information about constructing firewall rules can be found here, and the following example below details a 1:1 NAT rule that allows inbound connections to an internal FTP server.

By default, MX appliances allow all outbound connections, so no additional firewall configuration is necessary. The following diagram outlines the flow of active FTP traffic, and where the MX comes into play: