Secure IPv4 FTP session cannot transfer data through an NAT firewall

If you are using an encrypted FTP control connection, as is the case when using AT-TLS security, and the client sends PASV or PORT to establish a data connection for file transfer, and a NAT (network address translation) firewall exists between the client and server, you might find that while you could sign into the server, you cannot establish the data connection for the transfer. This is because a NAT firewall monitors the FTP control connection as well as the IP headers, changing IP addresses as needed. If the control connection is encrypted, the NAT cannot monitor and change the IP addresses exchanged between the FTP client and server by PASV and PORT.

Use the locsite subcommand with the EPSV4 parameter, or code EPSV4 TRUE in FTP.DATA, to direct the client to use EPSV instead of PORT or PASV on IPv4 sessions to establish the data connection. The EPSV command exchanges only port numbers between FTP client and server, so the NAT firewall does not need to translate IP addresses. The server must support EPSV on IPv4 sessions for this solution to be effective.

If the server does not support the EPSV command, you can use the PASSIVEIGNOREADDR configuration option to ignore the IP address that is returned on a PASV command reply and use only the port. For more information about the EPSV command, see RFC 2428. For more information about the LOCSITE subcommand, see z/OS Communications Server: IP User's Guide and Commands and z/OS Communications Server: IP System Administrator's Commands. For more information about the EPSV4 or PASSIVEIGNOREADDR statement in FTP.DATA, see z/OS Communications Server: IP Configuration Reference.