Advertisement

04.23.2008 at 05:06PM PDT, ID: 23348788
[x]
Attachment Details
[x]
The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

  • The Grade of the Solution
  • The Zone Rank of the Expert Providing the Solution
  • The Number of Author and Expert Comments
  • The Number of Experts Contributing
  • The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!
7.6

Configuring Cisco firewall to allow incoming Secure FTP from remote (off-site) server

Zones: Internet Message Access Protocol (IMAP), Network Routers, Networking Hardware Firewalls
Tags: Cisco, 2821 Router, 12.4
Need to get EDI transfers from a customer Secure FTP server. They give us the option of either using SSL or SSH.

For SSL they suggest setting up the FTP client to use:
- port = 10021
- Transfer Mode = Binary
-url = ftp.customer.com
- IP = 64.39.59.x
-Connection Type = Active

For SSH:
- port = 10121
- Transfer mode = Binary
- URL = ftp.customer.com
- IP = 64.39.59.x
-Connection Type = Passive

I think I'm closer with the SSL config and know it is a firewall issue. The client is able to connect to the site and login it then hangs and I get error "425 Cannot est Data Connection". Which means it isn't able to get back through a port on my firewall. Tried many configs but can't get it to work.

Any help is appreciated.
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:
99:
100:
101:
102:
103:
104:
105:
106:
107:
108:
109:
110:
111:
112:
113:
114:
115:
116:
117:
118:
119:
120:
121:
122:
123:
124:
125:
126:
127:
128:
129:
130:
131:
132:
133:
134:
135:
136:
137:
138:
139:
140:
141:
142:
143:
144:
145:
146:
147:
148:
149:
150:
151:
152:
153:
154:
155:
156:
157:
158:
159:
160:
161:
162:
163:
164:
165:
166:
167:
168:
169:
170:
171:
172:
173:
174:
175:
176:
177:
178:
179:
180:
181:
182:
183:
184:
185:
186:
187:
188:
189:
190:
191:
192:
193:
194:
195:
196:
197:
198:
199:
200:
201:
202:
203:
204:
205:
206:
207:
208:
209:
210:
211:
212:
213:
214:
215:
216:
217:
218:
219:
220:
221:
222:
223:
224:
225:
226:
227:
228:
229:
230:
231:
232:
233:
234:
235:
236:
237:
238:
239:
240:
241:
242:
243:
244:
245:
246:
247:
248:
249:
250:
251:
252:
253:
254:
255:
256:
257:
258:
259:
260:
261:
262:
263:
264:
265:
266:
267:
268:
269:
270:
271:
272:
273:
274:
275:
276:
277:
278:
279:
280:
281:
282:
283:
284:
285:
286:
287:
288:
289:
290:
291:
292:
293:
294:
295:
296:
297:
298:
299:
300:
301:
302:
303:
304:
305:
306:
307:
308:
309:
310:
311:
312:
313:
314:
315:
316:
317:
318:
319:
320:
321:
322:
323:
324:
325:
326:
327:
328:
329:
330:
331:
332:
333:
334:
335:
336:

!
aaa new-model
!
!
aaa authentication fail-message ^CCLogin Failed Unauthorized access and use of this network will be
vigorously prosecuted.^C
aaa authentication login con local
aaa authentication login user local
aaa authentication login clientauth local
aaa authentication login UserAuth group radius
aaa authorization console
aaa authorization exec default local
aaa authorization exec con local
aaa authorization network groupauthor local
!
aaa session-id common
!
resource policy
!
clock timezone pst -8
ip subnet-zero
!
!
ip cef
!
!
ip flow-cache timeout active 1
ip domain name domain.com
ip inspect name myfw http java-list 50
ip inspect name myfw tcp
ip inspect name myfw udp
ip inspect name myfw icmp
!
!
voice-card 0
 no dspfarm
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-3438045733
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3438045733
 revocation-check none
 rsakeypair TP-self-signed-3438045833
!
!
crypto pki certificate chain TP-self-signed-3438045833
 certificate self-signed 01
 
!
!
crypto isakmp policy 10
 hash md5
 authentication pre-share
!
crypto isakmp policy 20
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key xxx address 70.233.15.x
crypto isakmp key xxx address 64.169.75.x
crypto isakmp key xxx address 65.43.89.x
crypto isakmp key xxx address 24.136.100.x
crypto isakmp key xxx address 67.76.67.x
crypto isakmp key xxx address 64.190.142.x
crypto isakmp key xxx address 68.213.10.x
crypto isakmp key xxx address 67.116.104.x
crypto isakmp invalid-spi-recovery
!
crypto isakmp client configuration group XXXvpngrp
 key XXXX!
 dns 192.168.10.5 192.168.1.5
 domain domain.com
 pool vpnpool
 acl 140
crypto isakmp profile VPNclient
   description VPN client profile
   match identity group XXXvpngrp
   client authentication list UserAuth
   isakmp authorization list groupauthor
   client configuration address respond
!
crypto ipsec security-association lifetime seconds 86400
!
 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
 mode transport
!
crypto dynamic-map dynmap 5
 set transform-set ESP-3DES-MD5
 set isakmp-profile VPNclient
!
!
crypto map testmap 3 ipsec-isakmp
 description Tunnel to 
 set peer 64.190.142.x
 set transform-set ESP-DES-MD5
 match address 103
crypto map testmap 4 ipsec-isakmp
 description Tunnel to 
 set peer 68.213.10.x
 set transform-set ESP-DES-MD5
 match address 104
crypto map testmap 5 ipsec-isakmp
 description Tunnel to 
 set peer 67.116.104.x
 set transform-set ESP-DES-MD5
 match address 105
crypto map testmap 6 ipsec-isakmp
 description Tunnel to 
 set peer 67.76.67.x
 set transform-set ESP-DES-MD5
 match address 106
crypto map testmap 7 ipsec-isakmp
 description Tunnel to 
 set peer 24.136.100.x
 set transform-set ESP-DES-MD5
 match address 107
crypto map testmap 9 ipsec-isakmp
 description Tunnel to 
 set peer 64.169.75.x
 set transform-set ESP-DES-MD5
 match address 109
crypto map testmap 11 ipsec-isakmp
 description Tunnel to 
 set peer 65.43.89.x
 set transform-set ESP-DES-MD5
 match address 111
crypto map testmap 20 ipsec-isakmp dynamic dynmap
!
bridge irb
!
!
!
interface GigabitEthernet0/0
 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$
 ip address 192.168.3.1 255.255.255.0 secondary
 ip address 192.168.2.1 255.255.255.0 secondary
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip policy route-map webtraffic
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 ip address 192.168.98.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip policy route-map webtraffic
 duplex auto
 speed auto
!
interface Serial0/0/0
 mtu 1522
 bandwidth 1536
 ip address 64.81.85.x 255.255.255.0
 ip access-group inbound in
 ip nat outside
 ip inspect myfw out
 ip virtual-reassembly
 encapsulation frame-relay IETF
 ip route-cache flow
 no ip mroute-cache
 no fair-queue
 frame-relay map ip 64.81.85.1 16 IETF
 frame-relay interface-dlci 16
 frame-relay lmi-type ansi
 frame-relay qos-autosense
 crypto map testmap
 crypto ipsec df-bit clear
!
interface ATM0/1/0
 description Connection to WAN
 no ip address
 ip virtual-reassembly
 ip route-cache flow
 no atm ilmi-keepalive
 bundle-enable
 dsl operating-mode auto
 bridge-group 1
 pvc 0/35
  encapsulation aal5snap
 !
!
interface Group-Async0
 physical-layer async
 no ip address
 no group-range
!
interface Group-Async1
 physical-layer async
 no ip address
!
interface BVI1
 ip address 64.81.38.x 255.255.255.0
 ip nat outside
 ip inspect myfw out
 ip virtual-reassembly
!
ip local pool vpnpool 192.168.40.1 192.168.40.254
ip classless
ip route 0.0.0.0 0.0.0.0 64.81.85.1
ip route 172.14.0.0 255.255.0.0 192.168.1.253
ip route 172.16.0.0 255.255.0.0 192.168.1.253
ip route 172.17.0.0 255.255.0.0 192.168.1.253
ip route 192.168.10.0 255.255.255.0 192.168.98.2
ip route 192.168.99.0 255.255.255.0 192.168.98.2
!
ip flow-export source GigabitEthernet0/0
ip flow-export version 5
ip flow-export destination 192.168.1.163 9996
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 135 interface Serial0/0/0 overload
ip nat inside source list 136 interface BVI1 overload
ip nat inside source static tcp 192.168.10.85 20 64.39.59.x 20 extendable
ip nat inside source static tcp 192.168.10.85 21 64.39.59.x 21 extendable
ip nat inside source static 192.168.1.8 64.81.94.xx route-map NAT4Static extendable
ip nat inside source static 192.168.1.90 64.81.94.xx route-map NAT4Static extendable
ip nat inside source static 192.168.1.161 64.81.94.xx route-map NAT4Static extendable
ip nat inside source static 192.168.1.12 64.81.94.xx route-map NAT4Static extendable
ip nat inside source static 192.168.10.85 64.81.94.xx route-map NAT4Static extendable
ip nat inside source static 192.168.10.30 64.81.94.xx route-map NAT4Static extendable
ip nat inside source static 192.168.99.51 64.81.94.xx route-map NAT4Static extendable
!
ip access-list extended NATPERMIT2
 deny   ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.255.255
 deny   ip 192.168.1.0 0.0.0.255 172.16.0.0 0.0.255.255
 deny   ip 192.168.1.0 0.0.0.255 10.11.0.0 0.0.255.255
 permit ip 192.168.1.0 0.0.0.255 any
 deny   ip 192.168.10.0 0.0.0.255 192.168.0.0 0.0.255.255
 deny   ip 192.168.10.0 0.0.0.255 172.16.0.0 0.0.255.255
 deny   ip 192.168.10.0 0.0.0.255 10.11.0.0 0.0.255.255
 permit ip 192.168.10.0 0.0.0.255 any
 deny   ip 192.168.99.0 0.0.0.255 192.168.0.0 0.0.255.255
 deny   ip 192.168.99.0 0.0.0.255 172.16.0.0 0.0.255.255
 deny   ip 192.168.99.0 0.0.0.255 10.11.0.0 0.0.255.255
 permit ip 192.168.99.0 0.0.0.255 any
 deny   ip 192.168.98.0 0.0.0.255 192.168.0.0 0.0.255.255
 deny   ip 192.168.98.0 0.0.0.255 172.16.0.0 0.0.255.255
 deny   ip 192.168.98.0 0.0.0.255 10.11.0.0 0.0.255.255
 permit ip 192.168.98.0 0.0.0.255 any
ip access-list extended inbound
 permit udp any any eq isakmp
 permit udp any any eq non500-isakmp
 permit udp any eq domain any
 permit tcp any host 64.81.94.xx eq 3389
 permit gre any any
 permit esp any any
 permit tcp any host 64.81.94.xx eq 3389
 permit tcp any host 64.81.94.xx eq 1494
 permit tcp any host 64.81.94.xx eq ftp
 permit tcp any host 64.81.94.xx eq 3389
 permit tcp any host 64.81.85.xx eq 22
 permit tcp any host 64.81.94.xx eq 443
 permit tcp any host 64.81.94.xx eq smtp
 permit tcp any host 64.81.94.xx eq www
 permit icmp any host 64.81.94.xx
!
access-list 10 permit 192.168.0.0 0.0.255.255
access-list 103 remark VPN for 
access-list 103 permit ip 172.16.0.0 0.0.255.255 10.11.3.0 0.0.0.255
access-list 103 permit ip 192.168.0.0 0.0.255.255 10.11.3.0 0.0.0.255
access-list 104 remark VPN for 
access-list 104 permit ip 172.16.0.0 0.0.255.255 10.11.4.0 0.0.0.255
access-list 104 permit ip 192.168.1.0 0.0.0.255 10.11.4.0 0.0.0.255
access-list 104 permit ip 192.168.10.0 0.0.0.255 10.11.4.0 0.0.0.255
access-list 104 permit ip 192.168.40.0 0.0.0.255 10.11.4.0 0.0.0.255
access-list 105 remark VPN for 
access-list 105 permit ip 172.16.0.0 0.0.255.255 10.11.5.0 0.0.0.255
access-list 105 permit ip 192.168.0.0 0.0.255.255 10.11.5.0 0.0.0.255
access-list 106 remark VPN for 
access-list 106 permit ip 172.16.0.0 0.0.255.255 10.11.6.0 0.0.0.255
access-list 106 permit ip 192.168.0.0 0.0.255.255 10.11.6.0 0.0.0.255
access-list 107 remark VPN for 
access-list 107 permit ip 172.16.0.0 0.0.255.255 10.11.7.0 0.0.0.255
access-list 107 permit ip 192.168.1.0 0.0.0.255 10.11.7.0 0.0.0.255
access-list 107 permit ip 192.168.10.0 0.0.0.255 10.11.7.0 0.0.0.255
access-list 107 permit ip 192.168.40.0 0.0.0.255 10.11.7.0 0.0.0.255
access-list 109 remark VPN for 
access-list 109 permit ip 172.16.0.0 0.0.255.255 10.11.9.0 0.0.0.255
access-list 109 permit ip 192.168.0.0 0.0.255.255 10.11.9.0 0.0.0.255
access-list 111 remark VPN for
access-list 111 permit ip 192.168.0.0 0.0.255.255 10.11.11.0 0.0.0.255
access-list 111 permit ip 172.16.0.0 0.0.255.255 10.11.11.0 0.0.0.255
access-list 135 deny   tcp any any eq www
access-list 135 deny   ip 192.168.0.0 0.0.255.255 192.168.40.0 0.0.0.255
access-list 135 deny   ip 172.16.0.0 0.0.255.255 192.168.40.0 0.0.0.255
access-list 135 deny   ip 192.168.0.0 0.0.255.255 10.11.0.0 0.0.255.255
access-list 135 deny   ip 192.168.0.0 0.0.255.255 172.16.0.0 0.0.255.255
access-list 135 deny   ip 172.16.0.0 0.0.255.255 10.11.0.0 0.0.255.255
access-list 135 permit ip any any
access-list 136 deny   tcp any 172.16.101.0 0.0.0.255 eq www
access-list 136 deny   tcp any 172.16.101.0 0.0.0.255 eq ftp
access-list 136 deny   tcp any 192.168.10.0 0.0.0.255 eq www
access-list 136 deny   tcp any 192.168.3.0 0.0.0.255 eq www
access-list 136 deny   tcp any 192.168.2.0 0.0.0.255 eq www
access-list 136 permit tcp 10.11.0.0 0.0.255.255 any eq www
access-list 136 permit tcp 192.168.0.0 0.0.255.255 any eq www
access-list 140 permit ip 192.168.1.0 0.0.0.255 192.168.40.0 0.0.0.255
access-list 140 permit ip 192.168.10.0 0.0.0.255 192.168.40.0 0.0.0.255
access-list 140 permit ip 172.16.0.0 0.0.255.255 192.168.40.0 0.0.0.255
access-list 140 permit ip 10.11.0.0 0.0.255.255 192.168.40.0 0.0.0.255
snmp-server community public RO
snmp-server ifindex persist
!
route-map webtraffic permit 10
 match ip address 136
 set ip next-hop 64.81.38.1
!
route-map NAT4Static permit 10
 match ip address NATPERMIT2
!
!
!
radius-server host 192.168.1.6 auth-port 1645 acct-port 1646
radius-server host 192.168.1.6 auth-port 1812 acct-port 1813
radius-server key xxx
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
!
!
Start your free trial to view this solution
Question Stats
Zone: Networking
Question Asked By: andersenks
Solution Provided By: stsonline
Participating Experts: 1
Solution Grade: B
Views: 66
Translate:
Loading Advertisement...
04.23.2008 at 10:45PM PDT, ID: 21428013
stsonline:

All comments and solutions are available to Premium Service Members only.

Start your 7-day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
04.24.2008 at 12:27PM PDT, ID: 21434282
andersenks:

All comments and solutions are available to Premium Service Members only.

Start your 7-day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
 
Loading Advertisement...
20080236-EE-VQP-29 / EE_QW_2_20070628