Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

for lrmoore ftp problem after Cisco install

Posted on 2003-12-09
18
Medium Priority
?
687 Views
Last Modified: 2013-11-29
Since changing my web/everything server to point to the Cisco instead of my dsl router, my ftp quit working. I have some scripts and they are not completing. When I try to do a put, they hang. After doing some troubleshooting I found out if I do passive ftp they work. I need one of 2 solutions. An ftp command to make my ftp script work in passive mode or a mod to my cisco run to allow the ftp to work.

Again thanks for any help, Troy
0
Comment
Question by:troyd1
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 10
  • 8
18 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 9905944
Did you add an acl line to permit ftp?

access-list extended outside_in
 permit tcp any host a.b.c.d eq ftp
 permit tcp any host a.b.c.d eq ftp-data
<rest of acl>
# and add logging to the end of the acl:
 deny ip any any log
!

Now you can watch your logs and see which ports are getting blocked and open them appropriately in your acl...

0
 

Author Comment

by:troyd1
ID: 9906151
I tried it and it still hangs. I already had the ftp line in the script. I now added the ftp-data line. I am ftping from my server to another server in case I did not make that clear. How do I check the logging? There is the static route for 192.168.1.80 and 209.59.42.150. I used the 209.59.42.150 for the a.b.c.d. Was this correct?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 9906672
>How do I check the logging?

If you have enabled logging to buffer:

logg buff 4096

then you can use "sho log"

>I used the 209.59.42.150 for the a.b.c.d. Was this correct?
Yes
0
Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

 

Author Comment

by:troyd1
ID: 9908118
My ftp still hangs. I tried permit tcp any any eq ftp-data, and that did not work either.  Any ideas? Also, how do I clear the log? Is there a way to do passive ftp from a command prompt in windows?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 9908192
Can you post results of

router#show ip access-list <name>

Did you remove/delete/rebuild/re-apply the entire access-list when you changed it?
Do you get any deny entries in the log?

router#clear log

I don't think the command line FTP in windows will go to passive mode. You can in IE6, or in another FTP client like WSFtp or CuteFTP....


0
 

Author Comment

by:troyd1
ID: 9908264
Here it is:
I had permit tcp any host 209.59.42.150 eq ftp-data, and that did not work. It seamed to be trying to come in through my router ip(209.72.250.206), so I tried that. After trying to do a few ftp transfers it seems to be coming back on a bunch of different ip's. 209.72.250.206. 209.59.42.145-159. I just deleted and added, I did not delete/rebuild the whole access-list. How do I re-apply it?

Extended IP access list outside_in
    permit tcp any any established (653944 matches)
    permit udp any eq domain any (6100 matches)
    permit icmp any any unreachable (52 matches)
    permit icmp any any time-exceeded (62 matches)
    permit icmp any any echo-reply (101 matches)
    permit tcp any host 209.72.250.206 eq telnet (20 matches)
    permit tcp any host 209.59.42.150 eq www (2470 matches)
    permit tcp any host 209.59.42.150 eq ftp
    permit tcp any host 209.59.42.150 eq telnet (366 matches)
    permit icmp any any echo (360399 matches)
    permit tcp any host 209.59.42.145 eq 5004
    permit udp any host 209.59.42.145 eq 5004
    permit tcp any host 209.59.42.145 eq 5005
    permit udp any host 209.59.42.145 eq 5005
    permit tcp any host 209.59.42.145 eq 5566
    permit udp any host 209.59.42.145 eq 5566
    permit tcp any host 209.59.42.145 eq 5567
    permit udp any host 209.59.42.145 eq 5567
    permit tcp any host 209.59.42.150 eq 5631 (2 matches)
    permit udp any host 209.59.42.150 eq 5632 (1 match)
    permit tcp any host 209.59.42.146 eq 5631
    permit udp any host 209.59.42.146 eq 5632
    permit tcp any host 209.59.42.147 eq 5631
    permit udp any host 209.59.42.147 eq 5632
    permit tcp any host 209.59.42.148 eq 5631
    permit udp any host 209.59.42.148 eq 5632
    permit tcp any host 209.59.42.149 eq 5631
    permit udp any host 209.59.42.149 eq 5632
    permit tcp any host 209.72.250.206 eq ftp-data
    deny ip any any log (109 matches)
0
 

Author Comment

by:troyd1
ID: 9908654
Also, the 5004, 5005, 5566 and 5567 are for my ip phone. I was not sure if it was tcp or udp.
0
 

Author Comment

by:troyd1
ID: 9911839
Another note, I have a second nin card in my server that I also have connected to the network. It has the address of 192.168.1.81. I have the default gateway on that one set to the dsl router. I did a tracert to the ftp server I am trying to send to and it is going through the cisco. I am doing this so I can get to my server through either place using pcanywhere. Are there any repricussions to doing this? How do you control which card your traffic goes out on? It appears to be using the card I want it to.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 9912967
One thing to add in the acl that might help:

Assuming that you know the IP address of the ftp server. For example sake = 12.34.56.7
And public static NAT of the system you're tyring to ftp from = 209.59.42.150

permit tcp host 12.34.56.7 gt 1024 host 209.59.42.150

As for having two NIC's in the server, you can only have one default gateway. You cannot dictate which packets go out which NIC unless you add them manually to the route table.

0
 

Author Comment

by:troyd1
ID: 9913022
Do I need to reload/reapply changes or are they active once you enter them?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 9913148
To change an acl (hint: keep a script like this to make it easy)
# remove from interface
Interface serial 0.370
 no ip access-group outside_in in

# delete the access-list
no access-group outside_in

# reload the whole acl w/changes:
ip access-list extended list outside_in
    permit tcp any any established
    permit udp any eq domain any
    permit icmp any any unreachable
    permit icmp any any time-exceeded
    permit icmp any any echo-reply
    permit tcp any host 209.72.250.206 eq telnet
    permit tcp any host 209.59.42.150 eq www
    permit tcp any host 209.59.42.150 eq ftp
    permit tcp any host 209.59.42.150 eq telnet
    permit icmp any any echo
    permit tcp any host 209.59.42.145 eq 5004
    permit udp any host 209.59.42.145 eq 5004
    permit tcp any host 209.59.42.145 eq 5005
    permit udp any host 209.59.42.145 eq 5005
    permit tcp any host 209.59.42.145 eq 5566
    permit udp any host 209.59.42.145 eq 5566
    permit tcp any host 209.59.42.145 eq 5567
    permit udp any host 209.59.42.145 eq 5567
    permit tcp any host 209.59.42.150 eq 5631
    permit udp any host 209.59.42.150 eq 5632
    permit tcp any host 209.59.42.146 eq 5631
    permit udp any host 209.59.42.146 eq 5632
    permit tcp any host 209.59.42.147 eq 5631
    permit udp any host 209.59.42.147 eq 5632
    permit tcp any host 209.59.42.148 eq 5631
    permit udp any host 209.59.42.148 eq 5632
    permit tcp any host 209.59.42.149 eq 5631
    permit udp any host 209.59.42.149 eq 5632
    permit tcp host 12.34.56.7 gt 1024 host 209.59.42.150   <-- added line
    deny ip any any log

# re-apply the acl to the interace
interface serial 0.370
 ip access-group outside_in in

end


0
 

Author Comment

by:troyd1
ID: 9913287
I see the problem now. It is trying to return info on port 20 (probably not ftp-data). Probably some ftp reply. Is there any security risk to allow port 20 open on the server?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 9913375
No..
ftp-data "should" be port 20
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 400 total points
ID: 9913446
>permit tcp any host 209.72.250.206 eq ftp-data

I guess that should have been
permit tcp any host 209.59.42.150  eq ftp-data


0
 

Author Comment

by:troyd1
ID: 9913693
It works now. I think the problem is that it was denying ftp-data even with that line in it because it looks like from the log that it was sending on 20, but was trying to receive it on a port > 1024. Ex.:
......list outside_in denied tcp 63.209.23.16(20) -> 209.59.42.150(3045), 1 packet. With 63.209.23.16 being the ftp server.
Can you explain this a little.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 9914659
Perhaps this in-depth discussion of passive vs active FTP will help you understand..

http://slacksite.com/other/ftp.html
0
 

Author Comment

by:troyd1
ID: 9915427
Thanks for the info.
0
 

Author Comment

by:troyd1
ID: 9924834
It was still not working, but I figured out what was wrong.

I needed:
permit tcp any host (ftpserver) eq ftp-data host 209.59.42.150.

The
permit tcp any a.b.c.d gt 1024 host 209.59.42.150 was needed also, but the above line made it work.

I thought I would include this reply in case some refers to this question.

Again, thanks. This has been a good learning experience.
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Short answer to this question: there is no effective WiFi manager in iOS devices as seen in Windows WiFi or Macbook OSx WiFi management, but this article will try and provide some amicable solutions to better suite your needs.
This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Suggested Courses

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question