mxrider_420
asked on
FTP NAT issue
SEE RELATED->
https://www.experts-exchange.com/questions/26097733/Cisco-2651-Router-Port-Forwarding.html
OK... SO i got my nat to work correctly. but im having an issue with FTP and i assume its not related to the router but here it is if anyone can help me on this here great, if not i will opena new thread. but here is whats going on:
Status: Connecting to 174.5.165.113:29...
Status: Connection established, waiting for welcome message...
Response: 220 Welcome to the BEST FTP server! <---- it gets to the FTP through the NAT as you can see its got the welcome banner..
Command: USER memyselfandi
Response: 331 Please specify the password.
Command: PASS ***
Response: 230 Login successful.
Status: Connected
Status: Retrieving directory listing...
Command: PWD
Response: 257 "/"
Command: TYPE I
Response: 200 Switching to Binary mode.
Command: PASV
Response: 227 Entering Passive Mode (192,168,1,70,162,138)
Status: Server sent passive reply with unroutable address. Using server address instead.
Command: LIST
Error: Connection timed out
Error: Failed to retrieve directory listing
https://www.experts-exchange.com/questions/26097733/Cisco-2651-Router-Port-Forwarding.html
OK... SO i got my nat to work correctly. but im having an issue with FTP and i assume its not related to the router but here it is if anyone can help me on this here great, if not i will opena new thread. but here is whats going on:
Status: Connecting to 174.5.165.113:29...
Status: Connection established, waiting for welcome message...
Response: 220 Welcome to the BEST FTP server! <---- it gets to the FTP through the NAT as you can see its got the welcome banner..
Command: USER memyselfandi
Response: 331 Please specify the password.
Command: PASS ***
Response: 230 Login successful.
Status: Connected
Status: Retrieving directory listing...
Command: PWD
Response: 257 "/"
Command: TYPE I
Response: 200 Switching to Binary mode.
Command: PASV
Response: 227 Entering Passive Mode (192,168,1,70,162,138)
Status: Server sent passive reply with unroutable address. Using server address instead.
Command: LIST
Error: Connection timed out
Error: Failed to retrieve directory listing
TAMSCODAN
While i research and ponder over your issue: Think about this: http://www.enterprisedt.com/products/edtftpjssl/doc/manual/html/howtoftpthroughafilewall.html
are you allowing both ports 20 and 21? port 20 is the control port for the session and 21 is the actual data port
ASKER
Yes both are allowed. And my isp blocks 21 so I run it on an off port 29 and haven't had any issues prior.
hmmm, you can create an ACL and run a debug on the router.
create a standard ACL just for the interesting traffic then start the debug:
debug ip packet [acl#] detail
then try it again. then view the logs on your router.
create a standard ACL just for the interesting traffic then start the debug:
debug ip packet [acl#] detail
then try it again. then view the logs on your router.
ASKER
How do I do that?... I'm a noob
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I need to use fa0/1 as my ip is dynamic. And ideas? For the nat
this is temporary so you can use the IP address that is dynamically assigned. It wont change for a period of time maybe a day or two all depending on the ISP.
ASKER
sorry had a few issues with the ISP last night so was unable to test. will get back to you this evening. thanks for the post!
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I am using VSFTPD> how would i do this?
ASKER
i should mention that i dont have a pix hardware. i have a cisco router thats all
Did you try an active mode connection? clients like FileZilla allow specific selections of active or passive mode.
For a cisco router, you will need a minimum of the Advanced Security feature set to get the firewall features that allow FTP protocol inspection. What IOS version are you using? What feature set?
For a cisco router, you will need a minimum of the Advanced Security feature set to get the firewall features that allow FTP protocol inspection. What IOS version are you using? What feature set?
ASKER
Yes this solved my issue thanks. i have one last question. if my ftp serveer has two nics connected to two networks ie 192.168.1.0 and 172.168.5.0 wouldnt there be a routing loop? i meanwhen a desktop/server has two NICS and they communicate with Active Directory and other servers which IP will it communicate with? If it has an IP address on both subnets and both subnets have access to the active directory and servers how can i solve the routing loop problem?
This is separate from the question you asked. you should award points and submit a new question.
There can only be a possible routing loop through devices that perform general routing functions (routers, not end hosts). Your server doesn't have a routing loop. Your server with either prefer one link for outbound traffic or will load balance across the two. open a command prompt and enter "route print". The routing table results will tell you which of the two is happening and if one is preferred, the route that is being used.
By default, windows assigns route metrics automatically. This can be manually overridden by opening a network adapter's advanced TCPIP properties, clearing the option for automatic metrcis, and assigning a static metric for that adapter. If you want a single adapter to always be the preferred outbound path, then enter a value of 1 in the metric field.
There can only be a possible routing loop through devices that perform general routing functions (routers, not end hosts). Your server doesn't have a routing loop. Your server with either prefer one link for outbound traffic or will load balance across the two. open a command prompt and enter "route print". The routing table results will tell you which of the two is happening and if one is preferred, the route that is being used.
By default, windows assigns route metrics automatically. This can be manually overridden by opening a network adapter's advanced TCPIP properties, clearing the option for automatic metrcis, and assigning a static metric for that adapter. If you want a single adapter to always be the preferred outbound path, then enter a value of 1 in the metric field.
ASKER
I will open a new thread on this. will you follow it?