Solved

for lrmoore ftp problem after Cisco install

Posted on 2003-12-09
18
674 Views
Last Modified: 2013-11-29
Since changing my web/everything server to point to the Cisco instead of my dsl router, my ftp quit working. I have some scripts and they are not completing. When I try to do a put, they hang. After doing some troubleshooting I found out if I do passive ftp they work. I need one of 2 solutions. An ftp command to make my ftp script work in passive mode or a mod to my cisco run to allow the ftp to work.

Again thanks for any help, Troy
0
Comment
Question by:troyd1
  • 10
  • 8
18 Comments
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Did you add an acl line to permit ftp?

access-list extended outside_in
 permit tcp any host a.b.c.d eq ftp
 permit tcp any host a.b.c.d eq ftp-data
<rest of acl>
# and add logging to the end of the acl:
 deny ip any any log
!

Now you can watch your logs and see which ports are getting blocked and open them appropriately in your acl...

0
 

Author Comment

by:troyd1
Comment Utility
I tried it and it still hangs. I already had the ftp line in the script. I now added the ftp-data line. I am ftping from my server to another server in case I did not make that clear. How do I check the logging? There is the static route for 192.168.1.80 and 209.59.42.150. I used the 209.59.42.150 for the a.b.c.d. Was this correct?
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
>How do I check the logging?

If you have enabled logging to buffer:

logg buff 4096

then you can use "sho log"

>I used the 209.59.42.150 for the a.b.c.d. Was this correct?
Yes
0
 

Author Comment

by:troyd1
Comment Utility
My ftp still hangs. I tried permit tcp any any eq ftp-data, and that did not work either.  Any ideas? Also, how do I clear the log? Is there a way to do passive ftp from a command prompt in windows?
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Can you post results of

router#show ip access-list <name>

Did you remove/delete/rebuild/re-apply the entire access-list when you changed it?
Do you get any deny entries in the log?

router#clear log

I don't think the command line FTP in windows will go to passive mode. You can in IE6, or in another FTP client like WSFtp or CuteFTP....


0
 

Author Comment

by:troyd1
Comment Utility
Here it is:
I had permit tcp any host 209.59.42.150 eq ftp-data, and that did not work. It seamed to be trying to come in through my router ip(209.72.250.206), so I tried that. After trying to do a few ftp transfers it seems to be coming back on a bunch of different ip's. 209.72.250.206. 209.59.42.145-159. I just deleted and added, I did not delete/rebuild the whole access-list. How do I re-apply it?

Extended IP access list outside_in
    permit tcp any any established (653944 matches)
    permit udp any eq domain any (6100 matches)
    permit icmp any any unreachable (52 matches)
    permit icmp any any time-exceeded (62 matches)
    permit icmp any any echo-reply (101 matches)
    permit tcp any host 209.72.250.206 eq telnet (20 matches)
    permit tcp any host 209.59.42.150 eq www (2470 matches)
    permit tcp any host 209.59.42.150 eq ftp
    permit tcp any host 209.59.42.150 eq telnet (366 matches)
    permit icmp any any echo (360399 matches)
    permit tcp any host 209.59.42.145 eq 5004
    permit udp any host 209.59.42.145 eq 5004
    permit tcp any host 209.59.42.145 eq 5005
    permit udp any host 209.59.42.145 eq 5005
    permit tcp any host 209.59.42.145 eq 5566
    permit udp any host 209.59.42.145 eq 5566
    permit tcp any host 209.59.42.145 eq 5567
    permit udp any host 209.59.42.145 eq 5567
    permit tcp any host 209.59.42.150 eq 5631 (2 matches)
    permit udp any host 209.59.42.150 eq 5632 (1 match)
    permit tcp any host 209.59.42.146 eq 5631
    permit udp any host 209.59.42.146 eq 5632
    permit tcp any host 209.59.42.147 eq 5631
    permit udp any host 209.59.42.147 eq 5632
    permit tcp any host 209.59.42.148 eq 5631
    permit udp any host 209.59.42.148 eq 5632
    permit tcp any host 209.59.42.149 eq 5631
    permit udp any host 209.59.42.149 eq 5632
    permit tcp any host 209.72.250.206 eq ftp-data
    deny ip any any log (109 matches)
0
 

Author Comment

by:troyd1
Comment Utility
Also, the 5004, 5005, 5566 and 5567 are for my ip phone. I was not sure if it was tcp or udp.
0
 

Author Comment

by:troyd1
Comment Utility
Another note, I have a second nin card in my server that I also have connected to the network. It has the address of 192.168.1.81. I have the default gateway on that one set to the dsl router. I did a tracert to the ftp server I am trying to send to and it is going through the cisco. I am doing this so I can get to my server through either place using pcanywhere. Are there any repricussions to doing this? How do you control which card your traffic goes out on? It appears to be using the card I want it to.
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
One thing to add in the acl that might help:

Assuming that you know the IP address of the ftp server. For example sake = 12.34.56.7
And public static NAT of the system you're tyring to ftp from = 209.59.42.150

permit tcp host 12.34.56.7 gt 1024 host 209.59.42.150

As for having two NIC's in the server, you can only have one default gateway. You cannot dictate which packets go out which NIC unless you add them manually to the route table.

0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 

Author Comment

by:troyd1
Comment Utility
Do I need to reload/reapply changes or are they active once you enter them?
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
To change an acl (hint: keep a script like this to make it easy)
# remove from interface
Interface serial 0.370
 no ip access-group outside_in in

# delete the access-list
no access-group outside_in

# reload the whole acl w/changes:
ip access-list extended list outside_in
    permit tcp any any established
    permit udp any eq domain any
    permit icmp any any unreachable
    permit icmp any any time-exceeded
    permit icmp any any echo-reply
    permit tcp any host 209.72.250.206 eq telnet
    permit tcp any host 209.59.42.150 eq www
    permit tcp any host 209.59.42.150 eq ftp
    permit tcp any host 209.59.42.150 eq telnet
    permit icmp any any echo
    permit tcp any host 209.59.42.145 eq 5004
    permit udp any host 209.59.42.145 eq 5004
    permit tcp any host 209.59.42.145 eq 5005
    permit udp any host 209.59.42.145 eq 5005
    permit tcp any host 209.59.42.145 eq 5566
    permit udp any host 209.59.42.145 eq 5566
    permit tcp any host 209.59.42.145 eq 5567
    permit udp any host 209.59.42.145 eq 5567
    permit tcp any host 209.59.42.150 eq 5631
    permit udp any host 209.59.42.150 eq 5632
    permit tcp any host 209.59.42.146 eq 5631
    permit udp any host 209.59.42.146 eq 5632
    permit tcp any host 209.59.42.147 eq 5631
    permit udp any host 209.59.42.147 eq 5632
    permit tcp any host 209.59.42.148 eq 5631
    permit udp any host 209.59.42.148 eq 5632
    permit tcp any host 209.59.42.149 eq 5631
    permit udp any host 209.59.42.149 eq 5632
    permit tcp host 12.34.56.7 gt 1024 host 209.59.42.150   <-- added line
    deny ip any any log

# re-apply the acl to the interace
interface serial 0.370
 ip access-group outside_in in

end


0
 

Author Comment

by:troyd1
Comment Utility
I see the problem now. It is trying to return info on port 20 (probably not ftp-data). Probably some ftp reply. Is there any security risk to allow port 20 open on the server?
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
No..
ftp-data "should" be port 20
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 100 total points
Comment Utility
>permit tcp any host 209.72.250.206 eq ftp-data

I guess that should have been
permit tcp any host 209.59.42.150  eq ftp-data


0
 

Author Comment

by:troyd1
Comment Utility
It works now. I think the problem is that it was denying ftp-data even with that line in it because it looks like from the log that it was sending on 20, but was trying to receive it on a port > 1024. Ex.:
......list outside_in denied tcp 63.209.23.16(20) -> 209.59.42.150(3045), 1 packet. With 63.209.23.16 being the ftp server.
Can you explain this a little.
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Perhaps this in-depth discussion of passive vs active FTP will help you understand..

http://slacksite.com/other/ftp.html
0
 

Author Comment

by:troyd1
Comment Utility
Thanks for the info.
0
 

Author Comment

by:troyd1
Comment Utility
It was still not working, but I figured out what was wrong.

I needed:
permit tcp any host (ftpserver) eq ftp-data host 209.59.42.150.

The
permit tcp any a.b.c.d gt 1024 host 209.59.42.150 was needed also, but the above line made it work.

I thought I would include this reply in case some refers to this question.

Again, thanks. This has been a good learning experience.
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

SSL is a very common protocol used these days when browsing the web.  The purpose is to provide security to communication, but how does it do it?  There are several pieces at work that have to be setup before SSL will even work and it requires both …
Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now