for lrmoore ftp problem after Cisco install

Since changing my web/everything server to point to the Cisco instead of my dsl router, my ftp quit working. I have some scripts and they are not completing. When I try to do a put, they hang. After doing some troubleshooting I found out if I do passive ftp they work. I need one of 2 solutions. An ftp command to make my ftp script work in passive mode or a mod to my cisco run to allow the ftp to work.

Again thanks for any help, Troy
troyd1Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

lrmooreCommented:
Did you add an acl line to permit ftp?

access-list extended outside_in
 permit tcp any host a.b.c.d eq ftp
 permit tcp any host a.b.c.d eq ftp-data
<rest of acl>
# and add logging to the end of the acl:
 deny ip any any log
!

Now you can watch your logs and see which ports are getting blocked and open them appropriately in your acl...

0
troyd1Author Commented:
I tried it and it still hangs. I already had the ftp line in the script. I now added the ftp-data line. I am ftping from my server to another server in case I did not make that clear. How do I check the logging? There is the static route for 192.168.1.80 and 209.59.42.150. I used the 209.59.42.150 for the a.b.c.d. Was this correct?
0
lrmooreCommented:
>How do I check the logging?

If you have enabled logging to buffer:

logg buff 4096

then you can use "sho log"

>I used the 209.59.42.150 for the a.b.c.d. Was this correct?
Yes
0
The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

troyd1Author Commented:
My ftp still hangs. I tried permit tcp any any eq ftp-data, and that did not work either.  Any ideas? Also, how do I clear the log? Is there a way to do passive ftp from a command prompt in windows?
0
lrmooreCommented:
Can you post results of

router#show ip access-list <name>

Did you remove/delete/rebuild/re-apply the entire access-list when you changed it?
Do you get any deny entries in the log?

router#clear log

I don't think the command line FTP in windows will go to passive mode. You can in IE6, or in another FTP client like WSFtp or CuteFTP....


0
troyd1Author Commented:
Here it is:
I had permit tcp any host 209.59.42.150 eq ftp-data, and that did not work. It seamed to be trying to come in through my router ip(209.72.250.206), so I tried that. After trying to do a few ftp transfers it seems to be coming back on a bunch of different ip's. 209.72.250.206. 209.59.42.145-159. I just deleted and added, I did not delete/rebuild the whole access-list. How do I re-apply it?

Extended IP access list outside_in
    permit tcp any any established (653944 matches)
    permit udp any eq domain any (6100 matches)
    permit icmp any any unreachable (52 matches)
    permit icmp any any time-exceeded (62 matches)
    permit icmp any any echo-reply (101 matches)
    permit tcp any host 209.72.250.206 eq telnet (20 matches)
    permit tcp any host 209.59.42.150 eq www (2470 matches)
    permit tcp any host 209.59.42.150 eq ftp
    permit tcp any host 209.59.42.150 eq telnet (366 matches)
    permit icmp any any echo (360399 matches)
    permit tcp any host 209.59.42.145 eq 5004
    permit udp any host 209.59.42.145 eq 5004
    permit tcp any host 209.59.42.145 eq 5005
    permit udp any host 209.59.42.145 eq 5005
    permit tcp any host 209.59.42.145 eq 5566
    permit udp any host 209.59.42.145 eq 5566
    permit tcp any host 209.59.42.145 eq 5567
    permit udp any host 209.59.42.145 eq 5567
    permit tcp any host 209.59.42.150 eq 5631 (2 matches)
    permit udp any host 209.59.42.150 eq 5632 (1 match)
    permit tcp any host 209.59.42.146 eq 5631
    permit udp any host 209.59.42.146 eq 5632
    permit tcp any host 209.59.42.147 eq 5631
    permit udp any host 209.59.42.147 eq 5632
    permit tcp any host 209.59.42.148 eq 5631
    permit udp any host 209.59.42.148 eq 5632
    permit tcp any host 209.59.42.149 eq 5631
    permit udp any host 209.59.42.149 eq 5632
    permit tcp any host 209.72.250.206 eq ftp-data
    deny ip any any log (109 matches)
0
troyd1Author Commented:
Also, the 5004, 5005, 5566 and 5567 are for my ip phone. I was not sure if it was tcp or udp.
0
troyd1Author Commented:
Another note, I have a second nin card in my server that I also have connected to the network. It has the address of 192.168.1.81. I have the default gateway on that one set to the dsl router. I did a tracert to the ftp server I am trying to send to and it is going through the cisco. I am doing this so I can get to my server through either place using pcanywhere. Are there any repricussions to doing this? How do you control which card your traffic goes out on? It appears to be using the card I want it to.
0
lrmooreCommented:
One thing to add in the acl that might help:

Assuming that you know the IP address of the ftp server. For example sake = 12.34.56.7
And public static NAT of the system you're tyring to ftp from = 209.59.42.150

permit tcp host 12.34.56.7 gt 1024 host 209.59.42.150

As for having two NIC's in the server, you can only have one default gateway. You cannot dictate which packets go out which NIC unless you add them manually to the route table.

0
troyd1Author Commented:
Do I need to reload/reapply changes or are they active once you enter them?
0
lrmooreCommented:
To change an acl (hint: keep a script like this to make it easy)
# remove from interface
Interface serial 0.370
 no ip access-group outside_in in

# delete the access-list
no access-group outside_in

# reload the whole acl w/changes:
ip access-list extended list outside_in
    permit tcp any any established
    permit udp any eq domain any
    permit icmp any any unreachable
    permit icmp any any time-exceeded
    permit icmp any any echo-reply
    permit tcp any host 209.72.250.206 eq telnet
    permit tcp any host 209.59.42.150 eq www
    permit tcp any host 209.59.42.150 eq ftp
    permit tcp any host 209.59.42.150 eq telnet
    permit icmp any any echo
    permit tcp any host 209.59.42.145 eq 5004
    permit udp any host 209.59.42.145 eq 5004
    permit tcp any host 209.59.42.145 eq 5005
    permit udp any host 209.59.42.145 eq 5005
    permit tcp any host 209.59.42.145 eq 5566
    permit udp any host 209.59.42.145 eq 5566
    permit tcp any host 209.59.42.145 eq 5567
    permit udp any host 209.59.42.145 eq 5567
    permit tcp any host 209.59.42.150 eq 5631
    permit udp any host 209.59.42.150 eq 5632
    permit tcp any host 209.59.42.146 eq 5631
    permit udp any host 209.59.42.146 eq 5632
    permit tcp any host 209.59.42.147 eq 5631
    permit udp any host 209.59.42.147 eq 5632
    permit tcp any host 209.59.42.148 eq 5631
    permit udp any host 209.59.42.148 eq 5632
    permit tcp any host 209.59.42.149 eq 5631
    permit udp any host 209.59.42.149 eq 5632
    permit tcp host 12.34.56.7 gt 1024 host 209.59.42.150   <-- added line
    deny ip any any log

# re-apply the acl to the interace
interface serial 0.370
 ip access-group outside_in in

end


0
troyd1Author Commented:
I see the problem now. It is trying to return info on port 20 (probably not ftp-data). Probably some ftp reply. Is there any security risk to allow port 20 open on the server?
0
lrmooreCommented:
No..
ftp-data "should" be port 20
0
lrmooreCommented:
>permit tcp any host 209.72.250.206 eq ftp-data

I guess that should have been
permit tcp any host 209.59.42.150  eq ftp-data


0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
troyd1Author Commented:
It works now. I think the problem is that it was denying ftp-data even with that line in it because it looks like from the log that it was sending on 20, but was trying to receive it on a port > 1024. Ex.:
......list outside_in denied tcp 63.209.23.16(20) -> 209.59.42.150(3045), 1 packet. With 63.209.23.16 being the ftp server.
Can you explain this a little.
0
lrmooreCommented:
Perhaps this in-depth discussion of passive vs active FTP will help you understand..

http://slacksite.com/other/ftp.html
0
troyd1Author Commented:
Thanks for the info.
0
troyd1Author Commented:
It was still not working, but I figured out what was wrong.

I needed:
permit tcp any host (ftpserver) eq ftp-data host 209.59.42.150.

The
permit tcp any a.b.c.d gt 1024 host 209.59.42.150 was needed also, but the above line made it work.

I thought I would include this reply in case some refers to this question.

Again, thanks. This has been a good learning experience.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking Protocols

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.