jjk16
asked on
Cisco 2600 ftp clients unable to update software from the FTP server on the web acl pasv problems
Ive have searched these forums and found many similiar questions but unfortunately, not any definite answers.
The main problem I have is that the computers behind the Router can not update their software or transfer files to/from a FTP server.
Ports 20 and 21 are allowed in the access list eq ftp eq ftp-data
I believe it has to do with the Passive Ftp setting on the FTP server side on the other side of router on the big world wide web. I want to connect without opening ports gt 1024
I can connect to and login into the ftp server but attempts to read/list the directory or to transfer files are met with futility.
example being from a command prompt with the built in ftp client
{ftp> ls
200 PORT Command successful.
150 Opening ASCII mode data
connection for /bin/ls.
}
and then nothing..
I need a solution and answer as to why and what I need to accomplish on the ACL to make it happen.
One idea is to allow the IP of the server full access to all the ports to all the ips on the class c network which are all Static with no NAT( please tell me how as I am still learning the syntax of the the cisco IOS and i believe others have tried as well and might help the rest of googleland.)
here is my config for the access lists
access-list 101 permit icmp any host xxx.xxx.xxx.129
access-list 101 permit tcp any any established
access-list 101 permit udp any any
access-list 101 permit tcp any xxx.xxx.xxx.128 0.0.0.127 eq smtp
access-list 101 permit udp any xxx.xxx.xxx.128 0.0.0.127 eq 25
access-list 101 permit tcp any xxx.xxx.xxx.128 0.0.0.127 eq ftp
access-list 101 permit udp any xxx.xxx.xxx.128 0.0.0.127 eq 21
Do not know why it says eq 21 here as it means exactly the same thing as eq ftp? I think the router appends access lists to eachother although i used a tftp server to copy the router config files
(any insight would be appreciated and is why my question(s) are worth so many points)
access-list 101 permit tcp any xxx.xxx.xxx.128 0.0.0.127 eq www
access-list 101 permit udp any xxx.xxx.xxx.128 0.0.0.127 eq 80
access-list 101 permit tcp any xxx.xxx.xxx.1280.0.0.127 eq 5631
access-list 101 permit udp any xxx.xxx.xxx.128 0.0.0.127 eq 5632
access-list 101 permit tcp any xxx.xxx.xxx.128 0.0.0.127 eq telnet
access-list 101 permit udp any xxx.xxx.xxx.128 0.0.0.127 eq domain
access-list 101 permit tcp any xxx.xxx.xxx.128 0.0.0.127 eq 5900
access-list 101 permit tcp any xxx.xxx.xxx.128 0.0.0.127 eq 5901
Sub Question:
we only have have a class C assigned to us which is the IPs greater than xxx.xxx.xxx.128
anyway to partition port access through ranges i.e 129-160
16-200
via the 0.0.0.127 part of the netmask??
Thanks for any help in advance and thanks for not giving up on reading this to its conclusion.
I look forward to the explanation and giving out an A+!
The main problem I have is that the computers behind the Router can not update their software or transfer files to/from a FTP server.
Ports 20 and 21 are allowed in the access list eq ftp eq ftp-data
I believe it has to do with the Passive Ftp setting on the FTP server side on the other side of router on the big world wide web. I want to connect without opening ports gt 1024
I can connect to and login into the ftp server but attempts to read/list the directory or to transfer files are met with futility.
example being from a command prompt with the built in ftp client
{ftp> ls
200 PORT Command successful.
150 Opening ASCII mode data
connection for /bin/ls.
}
and then nothing..
I need a solution and answer as to why and what I need to accomplish on the ACL to make it happen.
One idea is to allow the IP of the server full access to all the ports to all the ips on the class c network which are all Static with no NAT( please tell me how as I am still learning the syntax of the the cisco IOS and i believe others have tried as well and might help the rest of googleland.)
here is my config for the access lists
access-list 101 permit icmp any host xxx.xxx.xxx.129
access-list 101 permit tcp any any established
access-list 101 permit udp any any
access-list 101 permit tcp any xxx.xxx.xxx.128 0.0.0.127 eq smtp
access-list 101 permit udp any xxx.xxx.xxx.128 0.0.0.127 eq 25
access-list 101 permit tcp any xxx.xxx.xxx.128 0.0.0.127 eq ftp
access-list 101 permit udp any xxx.xxx.xxx.128 0.0.0.127 eq 21
Do not know why it says eq 21 here as it means exactly the same thing as eq ftp? I think the router appends access lists to eachother although i used a tftp server to copy the router config files
(any insight would be appreciated and is why my question(s) are worth so many points)
access-list 101 permit tcp any xxx.xxx.xxx.128 0.0.0.127 eq www
access-list 101 permit udp any xxx.xxx.xxx.128 0.0.0.127 eq 80
access-list 101 permit tcp any xxx.xxx.xxx.1280.0.0.127 eq 5631
access-list 101 permit udp any xxx.xxx.xxx.128 0.0.0.127 eq 5632
access-list 101 permit tcp any xxx.xxx.xxx.128 0.0.0.127 eq telnet
access-list 101 permit udp any xxx.xxx.xxx.128 0.0.0.127 eq domain
access-list 101 permit tcp any xxx.xxx.xxx.128 0.0.0.127 eq 5900
access-list 101 permit tcp any xxx.xxx.xxx.128 0.0.0.127 eq 5901
Sub Question:
we only have have a class C assigned to us which is the IPs greater than xxx.xxx.xxx.128
anyway to partition port access through ranges i.e 129-160
16-200
via the 0.0.0.127 part of the netmask??
Thanks for any help in advance and thanks for not giving up on reading this to its conclusion.
I look forward to the explanation and giving out an A+!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Regarding the syntax of the ftp access-list:
Many types of network connections get initiated from clients. http, ssh, smtp, etc...
Usually, a client initiates a connection sourced from a high-order port to a known service port, such as port 80 (http).
So, the outbound packet would come from me:<gt 1024> => Server:80
The server's response back to me would be Server:80 => me:<gt 1024>
With FTP, you're dealing with two separate connections. One initiated by you to the server, and another that's initiated by the server to you. These are two discretely different tcp sessions.
So, with active ftp, it looks something like this:
ftp-control session:
me:gt 1024> => ftpServer:21
ftpServer:21 => me:gt 1024
ftp-data session:
ftpServer:20 => me:gt1024
me:gt1024 => ftpServer:20
So, you see that the data session is initiated by the remote ftp server and gets *sourced* from the known ftp-data tcp port 20.
So, in the ACL, the syntax follows source =>destination so, you have to specify the source port as port 20 by doing this:
access-list 101 permit tcp any eq ftp-data xxx.xxx.xxx.128 0.0.0.127
To make it more precise, I guess it really should have been like this:
access-list 101 permit tcp any eq ftp-data xxx.xxx.xxx.128 0.0.0.127 gt 1024
Make sense?
Passive ftp differs in that there is an initial connection outbound to port 21 much as with active FTP, but then the ftp server and client negotiate a high-order port on the ftp server and that the client then will initiate an outbound connection from a port gt 1024 to the pre-negotiated high-order port on the server.
Sometimes Passive-mode breaks because the ftp server sits behind a firewall that has no way of knowing what high-order port the ftp server and client have decided to use. So, the ftp data connection from the client to the server fails.
As far as your dir/ls dying, it could very well be that the server isn't configured to allow you to list files in the directory. Just a thought.
Many types of network connections get initiated from clients. http, ssh, smtp, etc...
Usually, a client initiates a connection sourced from a high-order port to a known service port, such as port 80 (http).
So, the outbound packet would come from me:<gt 1024> => Server:80
The server's response back to me would be Server:80 => me:<gt 1024>
With FTP, you're dealing with two separate connections. One initiated by you to the server, and another that's initiated by the server to you. These are two discretely different tcp sessions.
So, with active ftp, it looks something like this:
ftp-control session:
me:gt 1024> => ftpServer:21
ftpServer:21 => me:gt 1024
ftp-data session:
ftpServer:20 => me:gt1024
me:gt1024 => ftpServer:20
So, you see that the data session is initiated by the remote ftp server and gets *sourced* from the known ftp-data tcp port 20.
So, in the ACL, the syntax follows source =>destination so, you have to specify the source port as port 20 by doing this:
access-list 101 permit tcp any eq ftp-data xxx.xxx.xxx.128 0.0.0.127
To make it more precise, I guess it really should have been like this:
access-list 101 permit tcp any eq ftp-data xxx.xxx.xxx.128 0.0.0.127 gt 1024
Make sense?
Passive ftp differs in that there is an initial connection outbound to port 21 much as with active FTP, but then the ftp server and client negotiate a high-order port on the ftp server and that the client then will initiate an outbound connection from a port gt 1024 to the pre-negotiated high-order port on the server.
Sometimes Passive-mode breaks because the ftp server sits behind a firewall that has no way of knowing what high-order port the ftp server and client have decided to use. So, the ftp data connection from the client to the server fails.
As far as your dir/ls dying, it could very well be that the server isn't configured to allow you to list files in the directory. Just a thought.
ASKER
Well I have learned alot, its surprising how much there is to learn. thanks for the all the help. I have some other questions like how to divivide the access list by ip range,(xxx.xxx.xxx.1 -xxx.xxx.xxx.40) and the best way to add/delete to the routers running/startup config. Ill make a new question for those. I was thinking about getting the firewall feature set as i think it comes with Cisco's IOS 12.2 and higher as Ii have 12.1 If theres anything else you think I or someone else should know let me know.
ASKER
OH yeah and i can get a dir ls listing from the server on my home computer with the ports open.. so it is a port issue but.. ill save for another post.
The firewall feature set is a license that you have to buy from Cisco. It (usually) does not come standard with a router.
I'm not quite sure what you mean by "divide the access-list by ip range" but if you want to make things easy (like block a whole range) make sure you address your devices on bit boundaries such that the last octet is 0-15, 16-31, 32-29 etc. You can even do bigger ranges likes 0-31. Your access-list could look like this:
access-list 100 permit tcp 192.168.23.0 0.0.0.31 any eq 80
which would allow IP address 192.168.23.0-192.168.23.31
-Eric
I'm not quite sure what you mean by "divide the access-list by ip range" but if you want to make things easy (like block a whole range) make sure you address your devices on bit boundaries such that the last octet is 0-15, 16-31, 32-29 etc. You can even do bigger ranges likes 0-31. Your access-list could look like this:
access-list 100 permit tcp 192.168.23.0 0.0.0.31 any eq 80
which would allow IP address 192.168.23.0-192.168.23.31
-Eric
ASKER
The command prompt ftp session to an ftp server of a website hosting company still would not allow me to perform a dir or ls though :(
still get the
200 PORT Command successful.
150 Opening ASCII mode data
connection for /bin/ls
hangup
the port mode and pasv mode are confusing, is their a way to allow the ftp server to open up ports gt 1024 it needs for that connection? and then close the ports when it is done via the ACL?
Its still progress though, and I hope I do not scare you away, i have a question regarding the syntax of the ftp access-list, why did you rearrange the order, what bearing does that have on incoming connections? any insight to writing these ACL's would be appreciated.
im learning and thanks for the help so far