Solved

for lrmoore ftp problem after Cisco install

Posted on 2003-12-09
18
684 Views
Last Modified: 2013-11-29
Since changing my web/everything server to point to the Cisco instead of my dsl router, my ftp quit working. I have some scripts and they are not completing. When I try to do a put, they hang. After doing some troubleshooting I found out if I do passive ftp they work. I need one of 2 solutions. An ftp command to make my ftp script work in passive mode or a mod to my cisco run to allow the ftp to work.

Again thanks for any help, Troy
0
Comment
Question by:troyd1
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 10
  • 8
18 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 9905944
Did you add an acl line to permit ftp?

access-list extended outside_in
 permit tcp any host a.b.c.d eq ftp
 permit tcp any host a.b.c.d eq ftp-data
<rest of acl>
# and add logging to the end of the acl:
 deny ip any any log
!

Now you can watch your logs and see which ports are getting blocked and open them appropriately in your acl...

0
 

Author Comment

by:troyd1
ID: 9906151
I tried it and it still hangs. I already had the ftp line in the script. I now added the ftp-data line. I am ftping from my server to another server in case I did not make that clear. How do I check the logging? There is the static route for 192.168.1.80 and 209.59.42.150. I used the 209.59.42.150 for the a.b.c.d. Was this correct?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 9906672
>How do I check the logging?

If you have enabled logging to buffer:

logg buff 4096

then you can use "sho log"

>I used the 209.59.42.150 for the a.b.c.d. Was this correct?
Yes
0
Flexible connectivity for any environment

The KE6900 series can extend and deploy computers with high definition displays across multiple stations in a variety of applications that suit any environment. Expand computer use to stations across multiple rooms with dynamic access.

 

Author Comment

by:troyd1
ID: 9908118
My ftp still hangs. I tried permit tcp any any eq ftp-data, and that did not work either.  Any ideas? Also, how do I clear the log? Is there a way to do passive ftp from a command prompt in windows?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 9908192
Can you post results of

router#show ip access-list <name>

Did you remove/delete/rebuild/re-apply the entire access-list when you changed it?
Do you get any deny entries in the log?

router#clear log

I don't think the command line FTP in windows will go to passive mode. You can in IE6, or in another FTP client like WSFtp or CuteFTP....


0
 

Author Comment

by:troyd1
ID: 9908264
Here it is:
I had permit tcp any host 209.59.42.150 eq ftp-data, and that did not work. It seamed to be trying to come in through my router ip(209.72.250.206), so I tried that. After trying to do a few ftp transfers it seems to be coming back on a bunch of different ip's. 209.72.250.206. 209.59.42.145-159. I just deleted and added, I did not delete/rebuild the whole access-list. How do I re-apply it?

Extended IP access list outside_in
    permit tcp any any established (653944 matches)
    permit udp any eq domain any (6100 matches)
    permit icmp any any unreachable (52 matches)
    permit icmp any any time-exceeded (62 matches)
    permit icmp any any echo-reply (101 matches)
    permit tcp any host 209.72.250.206 eq telnet (20 matches)
    permit tcp any host 209.59.42.150 eq www (2470 matches)
    permit tcp any host 209.59.42.150 eq ftp
    permit tcp any host 209.59.42.150 eq telnet (366 matches)
    permit icmp any any echo (360399 matches)
    permit tcp any host 209.59.42.145 eq 5004
    permit udp any host 209.59.42.145 eq 5004
    permit tcp any host 209.59.42.145 eq 5005
    permit udp any host 209.59.42.145 eq 5005
    permit tcp any host 209.59.42.145 eq 5566
    permit udp any host 209.59.42.145 eq 5566
    permit tcp any host 209.59.42.145 eq 5567
    permit udp any host 209.59.42.145 eq 5567
    permit tcp any host 209.59.42.150 eq 5631 (2 matches)
    permit udp any host 209.59.42.150 eq 5632 (1 match)
    permit tcp any host 209.59.42.146 eq 5631
    permit udp any host 209.59.42.146 eq 5632
    permit tcp any host 209.59.42.147 eq 5631
    permit udp any host 209.59.42.147 eq 5632
    permit tcp any host 209.59.42.148 eq 5631
    permit udp any host 209.59.42.148 eq 5632
    permit tcp any host 209.59.42.149 eq 5631
    permit udp any host 209.59.42.149 eq 5632
    permit tcp any host 209.72.250.206 eq ftp-data
    deny ip any any log (109 matches)
0
 

Author Comment

by:troyd1
ID: 9908654
Also, the 5004, 5005, 5566 and 5567 are for my ip phone. I was not sure if it was tcp or udp.
0
 

Author Comment

by:troyd1
ID: 9911839
Another note, I have a second nin card in my server that I also have connected to the network. It has the address of 192.168.1.81. I have the default gateway on that one set to the dsl router. I did a tracert to the ftp server I am trying to send to and it is going through the cisco. I am doing this so I can get to my server through either place using pcanywhere. Are there any repricussions to doing this? How do you control which card your traffic goes out on? It appears to be using the card I want it to.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 9912967
One thing to add in the acl that might help:

Assuming that you know the IP address of the ftp server. For example sake = 12.34.56.7
And public static NAT of the system you're tyring to ftp from = 209.59.42.150

permit tcp host 12.34.56.7 gt 1024 host 209.59.42.150

As for having two NIC's in the server, you can only have one default gateway. You cannot dictate which packets go out which NIC unless you add them manually to the route table.

0
 

Author Comment

by:troyd1
ID: 9913022
Do I need to reload/reapply changes or are they active once you enter them?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 9913148
To change an acl (hint: keep a script like this to make it easy)
# remove from interface
Interface serial 0.370
 no ip access-group outside_in in

# delete the access-list
no access-group outside_in

# reload the whole acl w/changes:
ip access-list extended list outside_in
    permit tcp any any established
    permit udp any eq domain any
    permit icmp any any unreachable
    permit icmp any any time-exceeded
    permit icmp any any echo-reply
    permit tcp any host 209.72.250.206 eq telnet
    permit tcp any host 209.59.42.150 eq www
    permit tcp any host 209.59.42.150 eq ftp
    permit tcp any host 209.59.42.150 eq telnet
    permit icmp any any echo
    permit tcp any host 209.59.42.145 eq 5004
    permit udp any host 209.59.42.145 eq 5004
    permit tcp any host 209.59.42.145 eq 5005
    permit udp any host 209.59.42.145 eq 5005
    permit tcp any host 209.59.42.145 eq 5566
    permit udp any host 209.59.42.145 eq 5566
    permit tcp any host 209.59.42.145 eq 5567
    permit udp any host 209.59.42.145 eq 5567
    permit tcp any host 209.59.42.150 eq 5631
    permit udp any host 209.59.42.150 eq 5632
    permit tcp any host 209.59.42.146 eq 5631
    permit udp any host 209.59.42.146 eq 5632
    permit tcp any host 209.59.42.147 eq 5631
    permit udp any host 209.59.42.147 eq 5632
    permit tcp any host 209.59.42.148 eq 5631
    permit udp any host 209.59.42.148 eq 5632
    permit tcp any host 209.59.42.149 eq 5631
    permit udp any host 209.59.42.149 eq 5632
    permit tcp host 12.34.56.7 gt 1024 host 209.59.42.150   <-- added line
    deny ip any any log

# re-apply the acl to the interace
interface serial 0.370
 ip access-group outside_in in

end


0
 

Author Comment

by:troyd1
ID: 9913287
I see the problem now. It is trying to return info on port 20 (probably not ftp-data). Probably some ftp reply. Is there any security risk to allow port 20 open on the server?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 9913375
No..
ftp-data "should" be port 20
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 100 total points
ID: 9913446
>permit tcp any host 209.72.250.206 eq ftp-data

I guess that should have been
permit tcp any host 209.59.42.150  eq ftp-data


0
 

Author Comment

by:troyd1
ID: 9913693
It works now. I think the problem is that it was denying ftp-data even with that line in it because it looks like from the log that it was sending on 20, but was trying to receive it on a port > 1024. Ex.:
......list outside_in denied tcp 63.209.23.16(20) -> 209.59.42.150(3045), 1 packet. With 63.209.23.16 being the ftp server.
Can you explain this a little.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 9914659
Perhaps this in-depth discussion of passive vs active FTP will help you understand..

http://slacksite.com/other/ftp.html
0
 

Author Comment

by:troyd1
ID: 9915427
Thanks for the info.
0
 

Author Comment

by:troyd1
ID: 9924834
It was still not working, but I figured out what was wrong.

I needed:
permit tcp any host (ftpserver) eq ftp-data host 209.59.42.150.

The
permit tcp any a.b.c.d gt 1024 host 209.59.42.150 was needed also, but the above line made it work.

I thought I would include this reply in case some refers to this question.

Again, thanks. This has been a good learning experience.
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question