Solved

for lrmoore ftp problem after Cisco install

Posted on 2003-12-09
18
686 Views
Last Modified: 2013-11-29
Since changing my web/everything server to point to the Cisco instead of my dsl router, my ftp quit working. I have some scripts and they are not completing. When I try to do a put, they hang. After doing some troubleshooting I found out if I do passive ftp they work. I need one of 2 solutions. An ftp command to make my ftp script work in passive mode or a mod to my cisco run to allow the ftp to work.

Again thanks for any help, Troy
0
Comment
Question by:troyd1
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 10
  • 8
18 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 9905944
Did you add an acl line to permit ftp?

access-list extended outside_in
 permit tcp any host a.b.c.d eq ftp
 permit tcp any host a.b.c.d eq ftp-data
<rest of acl>
# and add logging to the end of the acl:
 deny ip any any log
!

Now you can watch your logs and see which ports are getting blocked and open them appropriately in your acl...

0
 

Author Comment

by:troyd1
ID: 9906151
I tried it and it still hangs. I already had the ftp line in the script. I now added the ftp-data line. I am ftping from my server to another server in case I did not make that clear. How do I check the logging? There is the static route for 192.168.1.80 and 209.59.42.150. I used the 209.59.42.150 for the a.b.c.d. Was this correct?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 9906672
>How do I check the logging?

If you have enabled logging to buffer:

logg buff 4096

then you can use "sho log"

>I used the 209.59.42.150 for the a.b.c.d. Was this correct?
Yes
0
PeopleSoft Has Never Been Easier

PeopleSoft Adoption Made Smooth & Simple!

On-The-Job Training Is made Intuitive & Easy With WalkMe's On-Screen Guidance Tool.  Claim Your Free WalkMe Account Now

 

Author Comment

by:troyd1
ID: 9908118
My ftp still hangs. I tried permit tcp any any eq ftp-data, and that did not work either.  Any ideas? Also, how do I clear the log? Is there a way to do passive ftp from a command prompt in windows?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 9908192
Can you post results of

router#show ip access-list <name>

Did you remove/delete/rebuild/re-apply the entire access-list when you changed it?
Do you get any deny entries in the log?

router#clear log

I don't think the command line FTP in windows will go to passive mode. You can in IE6, or in another FTP client like WSFtp or CuteFTP....


0
 

Author Comment

by:troyd1
ID: 9908264
Here it is:
I had permit tcp any host 209.59.42.150 eq ftp-data, and that did not work. It seamed to be trying to come in through my router ip(209.72.250.206), so I tried that. After trying to do a few ftp transfers it seems to be coming back on a bunch of different ip's. 209.72.250.206. 209.59.42.145-159. I just deleted and added, I did not delete/rebuild the whole access-list. How do I re-apply it?

Extended IP access list outside_in
    permit tcp any any established (653944 matches)
    permit udp any eq domain any (6100 matches)
    permit icmp any any unreachable (52 matches)
    permit icmp any any time-exceeded (62 matches)
    permit icmp any any echo-reply (101 matches)
    permit tcp any host 209.72.250.206 eq telnet (20 matches)
    permit tcp any host 209.59.42.150 eq www (2470 matches)
    permit tcp any host 209.59.42.150 eq ftp
    permit tcp any host 209.59.42.150 eq telnet (366 matches)
    permit icmp any any echo (360399 matches)
    permit tcp any host 209.59.42.145 eq 5004
    permit udp any host 209.59.42.145 eq 5004
    permit tcp any host 209.59.42.145 eq 5005
    permit udp any host 209.59.42.145 eq 5005
    permit tcp any host 209.59.42.145 eq 5566
    permit udp any host 209.59.42.145 eq 5566
    permit tcp any host 209.59.42.145 eq 5567
    permit udp any host 209.59.42.145 eq 5567
    permit tcp any host 209.59.42.150 eq 5631 (2 matches)
    permit udp any host 209.59.42.150 eq 5632 (1 match)
    permit tcp any host 209.59.42.146 eq 5631
    permit udp any host 209.59.42.146 eq 5632
    permit tcp any host 209.59.42.147 eq 5631
    permit udp any host 209.59.42.147 eq 5632
    permit tcp any host 209.59.42.148 eq 5631
    permit udp any host 209.59.42.148 eq 5632
    permit tcp any host 209.59.42.149 eq 5631
    permit udp any host 209.59.42.149 eq 5632
    permit tcp any host 209.72.250.206 eq ftp-data
    deny ip any any log (109 matches)
0
 

Author Comment

by:troyd1
ID: 9908654
Also, the 5004, 5005, 5566 and 5567 are for my ip phone. I was not sure if it was tcp or udp.
0
 

Author Comment

by:troyd1
ID: 9911839
Another note, I have a second nin card in my server that I also have connected to the network. It has the address of 192.168.1.81. I have the default gateway on that one set to the dsl router. I did a tracert to the ftp server I am trying to send to and it is going through the cisco. I am doing this so I can get to my server through either place using pcanywhere. Are there any repricussions to doing this? How do you control which card your traffic goes out on? It appears to be using the card I want it to.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 9912967
One thing to add in the acl that might help:

Assuming that you know the IP address of the ftp server. For example sake = 12.34.56.7
And public static NAT of the system you're tyring to ftp from = 209.59.42.150

permit tcp host 12.34.56.7 gt 1024 host 209.59.42.150

As for having two NIC's in the server, you can only have one default gateway. You cannot dictate which packets go out which NIC unless you add them manually to the route table.

0
 

Author Comment

by:troyd1
ID: 9913022
Do I need to reload/reapply changes or are they active once you enter them?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 9913148
To change an acl (hint: keep a script like this to make it easy)
# remove from interface
Interface serial 0.370
 no ip access-group outside_in in

# delete the access-list
no access-group outside_in

# reload the whole acl w/changes:
ip access-list extended list outside_in
    permit tcp any any established
    permit udp any eq domain any
    permit icmp any any unreachable
    permit icmp any any time-exceeded
    permit icmp any any echo-reply
    permit tcp any host 209.72.250.206 eq telnet
    permit tcp any host 209.59.42.150 eq www
    permit tcp any host 209.59.42.150 eq ftp
    permit tcp any host 209.59.42.150 eq telnet
    permit icmp any any echo
    permit tcp any host 209.59.42.145 eq 5004
    permit udp any host 209.59.42.145 eq 5004
    permit tcp any host 209.59.42.145 eq 5005
    permit udp any host 209.59.42.145 eq 5005
    permit tcp any host 209.59.42.145 eq 5566
    permit udp any host 209.59.42.145 eq 5566
    permit tcp any host 209.59.42.145 eq 5567
    permit udp any host 209.59.42.145 eq 5567
    permit tcp any host 209.59.42.150 eq 5631
    permit udp any host 209.59.42.150 eq 5632
    permit tcp any host 209.59.42.146 eq 5631
    permit udp any host 209.59.42.146 eq 5632
    permit tcp any host 209.59.42.147 eq 5631
    permit udp any host 209.59.42.147 eq 5632
    permit tcp any host 209.59.42.148 eq 5631
    permit udp any host 209.59.42.148 eq 5632
    permit tcp any host 209.59.42.149 eq 5631
    permit udp any host 209.59.42.149 eq 5632
    permit tcp host 12.34.56.7 gt 1024 host 209.59.42.150   <-- added line
    deny ip any any log

# re-apply the acl to the interace
interface serial 0.370
 ip access-group outside_in in

end


0
 

Author Comment

by:troyd1
ID: 9913287
I see the problem now. It is trying to return info on port 20 (probably not ftp-data). Probably some ftp reply. Is there any security risk to allow port 20 open on the server?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 9913375
No..
ftp-data "should" be port 20
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 100 total points
ID: 9913446
>permit tcp any host 209.72.250.206 eq ftp-data

I guess that should have been
permit tcp any host 209.59.42.150  eq ftp-data


0
 

Author Comment

by:troyd1
ID: 9913693
It works now. I think the problem is that it was denying ftp-data even with that line in it because it looks like from the log that it was sending on 20, but was trying to receive it on a port > 1024. Ex.:
......list outside_in denied tcp 63.209.23.16(20) -> 209.59.42.150(3045), 1 packet. With 63.209.23.16 being the ftp server.
Can you explain this a little.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 9914659
Perhaps this in-depth discussion of passive vs active FTP will help you understand..

http://slacksite.com/other/ftp.html
0
 

Author Comment

by:troyd1
ID: 9915427
Thanks for the info.
0
 

Author Comment

by:troyd1
ID: 9924834
It was still not working, but I figured out what was wrong.

I needed:
permit tcp any host (ftpserver) eq ftp-data host 209.59.42.150.

The
permit tcp any a.b.c.d gt 1024 host 209.59.42.150 was needed also, but the above line made it work.

I thought I would include this reply in case some refers to this question.

Again, thanks. This has been a good learning experience.
0

Featured Post

Three Considerations for Containers

Containers like Docker and Rocket are getting more popular every day. In my conversations with customers, they consistently ask what containers are and how they can use them in their environment. If you’re as curious as most people, read our article on Experts Exchange.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A 2007 NCSA Cyber Security survey revealed that a mere 4% of the population has a full understanding of firewalls. As business owner, you should be part of that 4% that has a full understanding.
This program is used to assist in finding and resolving common problems with wireless connections.
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
Suggested Courses

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question