Question

passive ftp behind NAT on cisco 871w

Asked by: dubium

I've attached my current config. I want to host an ftp server (ftp over ssl, so port 990) on 10.10.10.3. I've already opened up port 990 below, but that's only the control connection. I want to allow passive connections. How can I forward a range of ports for this purpose? Or is there a more elegant setup?

Building configuration...
 
Current configuration : 6923 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname xxxxxxx
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
logging console critical
enable secret 5 xxxxxxxxxxxxxxx
!
no aaa new-model
!
resource policy
!
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
ip subnet-zero
no ip source-route
ip cef
no ip dhcp use vrf connected
!
ip dhcp pool sdm-pool1
   import all
   network 10.10.10.0 255.255.255.0
   default-router 10.10.10.1 
!
ip dhcp pool maincomp
   host 10.10.10.2 255.255.255.0
   client-identifier 0100.0e0c.718c.33
!
ip dhcp pool qt1
   host 10.10.10.3 255.255.255.0
   client-identifier 0100.1422.4a66.42
!
!
ip tcp synwait-time 10
no ip bootp server
no ip domain lookup
ip domain name xxxxxxxx
ip ssh time-out 60
ip ssh authentication-retries 2
ip ddns update method sdm_ddns1
 HTTP
  add xxxxxx
  remove xxxxxxx
!
!
!
crypto pki trustpoint TP-self-signed-1774843829
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1774843829
 revocation-check none
 rsakeypair TP-self-signed-1774843829
!
!
crypto pki certificate chain TP-self-signed-1774843829
 certificate self-signed 01
 xxxxxxxxx
  quit
username xxxxxxx privilege 15 secret 5 xxxxxxxxxx
!
! 
!
bridge irb
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
 description $ES_WAN$$FW_OUTSIDE$
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 duplex auto
 speed auto
 pppoe enable group global
 pppoe-client dial-pool-number 1
!
interface Dot11Radio0
 no ip address
 !
 encryption mode ciphers tkip 
 !
 ssid wireless
    authentication open 
    authentication key-management wpa
    guest-mode
    wpa-psk ascii 7 xxxxxxxxxxxxx
 !
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
 station-role root
 bridge-group 1
 bridge-group 1 spanning-disabled
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
 no ip address
 bridge-group 1
!
interface Dialer0
 ip address negotiated
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip mtu 1452
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 ip route-cache flow
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication pap callin
 ppp pap sent-username xxxxxxx password 7 xxxxxxxx
 ppp ipcp dns request
 ppp ipcp address accept
!
interface BVI1
 description $ES_LAN$
 ip address 10.10.10.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1412
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static udp 10.10.10.3 990 interface Dialer0 990
ip nat inside source static tcp 10.10.10.3 990 interface Dialer0 990
ip nat inside source static tcp 10.10.10.2 80 interface Dialer0 80
ip nat inside source static tcp 10.10.10.2 3389 interface Dialer0 3389
ip nat inside source static udp 10.10.10.2 3389 interface Dialer0 3389
ip nat inside source static udp 10.10.10.2 80 interface Dialer0 80
ip nat inside source static udp 10.10.10.3 8001 interface Dialer0 8001
ip nat inside source static tcp 10.10.10.3 8001 interface Dialer0 8001
ip nat inside source static tcp 10.10.10.2 16870 interface Dialer0 16870
ip nat inside source static udp 10.10.10.2 16870 interface Dialer0 16870
ip nat inside source static tcp 10.10.10.2 57711 interface Dialer0 57711
ip nat inside source static udp 10.10.10.2 57711 interface Dialer0 57711
!
logging trap debugging
access-list 1 remark INSIDE_IF=BVI1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.10.10.0 0.0.0.255
dialer-list 1 protocol ip permit
no cdp run
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner exec ^CCCCCCCCCCCCCC
% Password expiration warning.
-----------------------------------------------------------------------
 
Cisco Router and Security Device Manager (SDM) is installed on this device and 
it provides the default username "cisco" for  one-time use. If you have already 
used the username "cisco" to login to the router and your IOS image supports the 
"one-time" user option, then this username has already expired. You will not be 
able to login to the router with this username after you exit this session.
 
It is strongly suggested that you create a new username with a privilege level 
of 15 using the following command.
 
username <myuser> privilege 15 secret 0 <mypassword>
 
Replace <myuser> and <mypassword> with the username and password you want to 
use.
 
-----------------------------------------------------------------------
^C
banner login ^CCCCCCCCCCCCCCAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 login local
 no modem enable
 transport output telnet
line aux 0
 login local
 transport output telnet
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

                                  
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:
99:
100:
101:
102:
103:
104:
105:
106:
107:
108:
109:
110:
111:
112:
113:
114:
115:
116:
117:
118:
119:
120:
121:
122:
123:
124:
125:
126:
127:
128:
129:
130:
131:
132:
133:
134:
135:
136:
137:
138:
139:
140:
141:
142:
143:
144:
145:
146:
147:
148:
149:
150:
151:
152:
153:
154:
155:
156:
157:
158:
159:
160:
161:
162:
163:
164:
165:
166:
167:
168:
169:
170:
171:
172:
173:
174:
175:
176:
177:
178:
179:
180:
181:
182:
183:
184:
185:
186:
187:
188:
189:
190:
191:
192:
193:
194:
195:
196:
197:
198:
199:
200:
201:
202:
203:
204:
205:
206:
207:
208:
209:
210:
211:
212:
213:
214:
215:

Select allOpen in new window

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2009-02-25 at 12:09:18ID24177516
Tags

passive

,

ftp

,

cisco

,

871w

,

router

,

nat

Topics

FTP Servers

,

Miscellaneous Networking

Participating Experts
2
Points
500
Comments
15

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. Windows Server 2003 Passive FTP beyond (NAT/Fire…
    Experts, May I ask some help regarding configuration of Windows Server 2003 Passive FTP beyond (NAT/Firewall). My setup has only one public IP and the NAT/Firewall is enabled. DSL internet connection and port 21 is open in the firewall. Internal network works fine but acces...
  2. FTP passive mode
    I setup my ftp with port 20 and 21 open, and set an ip. As most people behind a firewall with NAT and SPI I had to use passive mode in IE to get it to be viewable outside of an FTP program. My question is what can I do so I do not have to make people edit settings in IE to al...
  3. Passive SSL ftp problem PIX 515
    Hi Guys (again) I am setting up an FTP server on the DMZ network of two PIX 515's. The FTP server is WS FTP Serverand has been configured with the correct out going IP address and port range for passive connections, here is the config for the machine I have on the PIX: name...
  4. FTPs and Passive FTP not working behind Cisco PIX 515E
    I am trying to setup Serv-U Corporate Edition for FTP over SSL behind a Cisco PIX 515E Firewall and I am running into some problems. First off, I cannot get passive FTP to work (non-SSL). This is an ongoing problem that exists regardless of what FTP server I have used. I ...
  5. FTP Port Forwarding Passive Mode
    I have setup FileZilla on a server that is behind a CISCO 1720 Router. Obviously it needs to run in passive mode using port forwarding and supporting passive connections. What I have done is: In FileZilla: - assigned the real Internet IP in the passive settings - assigned t...

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: leibinusaPosted on 2009-02-25 at 13:16:18ID: 23738516

set up firewall on router "ip inspect" and enable inspection on ftp. the firewall will open ports for ftp automatically.

 

by: dubiumPosted on 2009-02-25 at 13:25:09ID: 23738601

I don't have the firewall enabled, currently, I think. You're saying I need to have it on to get this to work?

 

by: dubiumPosted on 2009-02-25 at 17:10:15ID: 23740494

Specifically, if you could please give me the exact commands to enter, given the above config file, I would appreciate it. Thank you.

 

by: giltjrPosted on 2009-03-11 at 05:23:45ID: 23856228

You are going to have some problems with this.  First inspect for ftp will most likely NOT work, I'm 99.99999% sure on this.  Why, because the control session is encrypted (TLS) and so the 871W will NOT be able to see the PASV command.  

Why I am only 99.9999% sure?  Easy, because there is a CCC command that will tell the FTP server that the next command will be sent in clear text.  If you have a client and a server that supports the CCC command and you are allowed to use the CCC command (some security teams do not want even one command bening sent in clear text over a TSL sessions), then all you need to do is enabled the inspect for ftp and in your ftp process issue the CCC command just prior to the PUT/GET/MPUT/MGET command.

Now, if you for some reason can not use the CCC command then you need to:

    Setup your FTP server to only use a specific port range for the data connection.  
    Code the necessary NAT's to for those ports.

After that you still may have problems.  If your ftp server supports it, you need to configure it to use the PUBLIC ip address you are NAT'ing to for the PASV command.  If your ftp server does not support this, then you need to make sure that it and all ftp clients support Extended Passive (EPSV).

Normally the server will put its IP address and the port number it is listening on for the data connection on the PASV command.  Since your servers IP address is non-routable on the Internet the client will not be able to get to it.  And since the PASV command will be encrypted, your router/firewall can't replace it with the NAT'ed address.  What EPSV does is just send the port, the client assumes that the address for the data connection is the same as the control session.

 

by: dubiumPosted on 2009-03-11 at 08:07:20ID: 23858144

So how do people actually get FTP to work behind cisco routers? This must be a common problem.

 

by: giltjrPosted on 2009-03-11 at 08:17:22ID: 23858266

FTP works fine behind just about any firewall/router.  The issue is not with FTP, it with TSL'ed FTP.

In my experience when using TLS'ed FTP they:

    1) Setup the FTP server to only use a specific range of ports for the data connections.  
    2) Setup all filtering devices to allow inbound traffic to the ftp server using the port ranged defined in #1
    3) Make sure all clients and the ftp server support Extended Passive.

What FTP server are you using?



 

by: dubiumPosted on 2009-03-11 at 08:41:41ID: 23858612

I'm using filezilla.

 

by: giltjrPosted on 2009-03-11 at 10:15:04ID: 23859694

O.k., if this FTP server is going to be used by people coming from the Internet only you can configure FileZilla to use the external/public IP address for passive mode data transfers.

If you go into the sever options and select passive mode settings, you can configure a specific IP external IP adress. On this same page is where you can configure what port range to use for passive tranfers.  

Now, if you do NOT have a static external IP address you can check the "Retrieve external IP address from:" box.

 

by: dubiumPosted on 2009-03-11 at 12:02:55ID: 23860961

Right, but how do I set a port range for forwarding on the router? Thanks.

 

by: giltjrPosted on 2009-03-11 at 12:16:18ID: 23861132

I don't think there is a range option on the static nat, so you would need to do something like:


ip nat inside source static tcp 10.10.10.3 10000 interface Dialer0 10000
ip nat inside source static tcp 10.10.10.3 10001 interface Dialer0 10001
ip nat inside source static tcp 10.10.10.3 10002 interface Dialer0 10002
ip nat inside source static tcp 10.10.10.3 10003 interface Dialer0 10003
ip nat inside source static tcc 10.10.10.3 10004 interface Dialer0 10004
 "
 "
ip nat inside source static tcp 10.10.10.3 10049 interface Dialer0 10049

If you wanted to use ports 10000 - 10049.  Do you have multiple public IP addresses?  If so, it may be easier to just give this ftp server its own public IP address.


 

by: giltjrPosted on 2009-09-02 at 04:39:56ID: 25239867

I would like to know why he wants this closed.  The reason stated is just the letter "a".

 

by: dubiumPosted on 2009-09-02 at 15:22:27ID: 31551273

Partial solution

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...