I am not sure what application was used to capture this trace. I removed a lot of the text, leaving just enough to point out the problem. The trace was obviously taken on the outside of the NAT device (or else we would not see a problem).
Packets 1 thru 4 show the connection to the FTP server. I've deleted the login packets. Note that client's IP address is 192.168.19.1,. However, in packet 12 the PORT command contains an IP address of 10.132.211.64. The FTP protocol does allow the port command to conatin an IP address that is different from the client. but in this case we recognize the 10.132.211.64 address as the clients true source address, i.e. the address on the inside of the NAT device. Most NAT devices are smart enough to modify the FTP PORT command to reflect the outside address. I have no idea why this device did not.
We don't see the server actually trying to make the connection to the inside address. Based on the time difference (74 seconds) between the "150 Opening ACSII..." message in packet 16 and the "425 Can't open data..." message in packet 18 I suspect that the connection request went out either a different interface so the analyzer didn't see it or the analyzer was filtering on just the outside 192.168.19.1 address.
Packet 1: Time: 13h:18m 39.859 336s, Diff. time: 0.000000 IP: 192.168.19.1 -> 172.16.93.9 TCP SYN, [59773] -> [21] --------------------------------------------------------------- Packet 2: Time: 13h:18m 39.935 399s, Diff. time: 0.076063 IP: 172.16.93.9 -> 192.168.19.1 TCP SYN ACK, [21] -> [59773] --------------------------------------------------------------- Packet 3: Time: 13h:18m 39.936 993s, Diff. time: 0.001594 IP: 192.168.19.1 -> 172.16.93.9 TCP ACK, [59773] -> [21] --------------------------------------------------------------- Packet 4: Time: 13h:18m 40.034 305s, Diff. time: 0.097312 IP: 172.16.93.9 -> 192.168.19.1 TCP PSH ACK, [21] -> [59773] Data 0000 32 32 30 20 46 54 50 20 53 65 72 76 65 72 20 52 220 FTP Server R 0010 65 61 64 79 2E 0D 0A eady... --------------------------------------------------------------- . . . . Packet 12: Time: 13h:19m 10.649 504s, Diff. time: 16.826910 IP: 192.168.19.1 -> 172.16.93.9 TCP PSH ACK, [59773] -> [21] Data 0000 50 4F 52 54 20 31 30 2C 31 34 32 2C 32 31 31 2C PORT 10,132,211, 0010 36 34 2C 32 33 33 2C 31 32 38 0D 0A 64,233,128.. --------------------------------------------------------------- Packet 13: Time: 13h:19m 10.726 273s, Diff. time: 0.076769 IP: 172.16.93.9 -> 192.168.19.1 TCP PSH ACK, [21] -> [59773] Data 0000 32 30 30 20 50 4F 52 54 20 63 6F 6D 6D 61 6E 64 200 PORT command 0010 20 73 75 63 63 65 73 73 66 75 6C 2E 0D 0A successful... --------------------------------------------------------------- Packet 14: Time: 13h:19m 10.731 039s, Diff. time: 0.004766 IP: 192.168.19.1 -> 172.16.93.9 TCP PSH ACK, [59773] -> [21] Data 0000 52 45 54 52 20 XX XX XX XX XX XX XX XX XX XX XX RETR XXXXXXXXXXX 0010 XX XX XX XX XX XX 0D 0A XXXXXX.. --------------------------------------------------------------- Packet 15: Time: 13h:19m 10.923 854s, Diff. time: 0.192815 IP: 172.16.93.9 -> 192.168.19.1 TCP ACK, [21] -> [59773] --------------------------------------------------------------- Packet 16: Time: 13h:19m 10.925 642s, Diff. time: 0.001788 IP: 172.16.93.9 -> 192.168.19.1 TCP PSH ACK, [21] -> [59773] Data 0000 31 35 30 20 4F 70 65 6E 69 6E 67 20 41 53 43 49 150 Opening ASCI 0010 49 20 4D 6F 64 65 20 44 61 74 61 20 43 6F 6E 6E I Mode Data Conn 0020 65 63 74 69 6F 6E 2E 0D 0A ection... --------------------------------------------------------------- Packet 17: Time: 13h:19m 10.965 660s, Diff. time: 0.040018 IP: 192.168.19.1 -> 172.16.93.9 TCP ACK, [59773] -> [21] --------------------------------------------------------------- Packet 18: Time: 13h:20m 25.439 824s, Diff. time: 74.474164 IP: 172.16.93.9 -> 192.168.19.1 TCP PSH ACK, [21] -> [59773] Data 0000 34 32 35 20 43 61 6E 27 74 20 6F 70 65 6E 20 64 425 Can't open d 0010 61 74 61 20 63 6F 6E 6E 65 63 74 69 6F 6E 3B 20 ata connection; 0020 63 68 65 63 6B 20 63 6C 69 65 6E 74 20 66 69 72 check client fir 0030 65 77 61 6C 6C 2F 72 6F 75 74 65 72 20 63 6F 6E ewall/router con 0040 66 69 67 2E 0D 0A fig... ---------------------------------------------------------------