Solved

Setting up FTP Server through Cisco 800 Series Router

Posted on 2004-05-01
9
4,014 Views
Last Modified: 2013-11-29
Hello All.

I am doing some work for a company as a favor.  They have a network set up already, with ISDN and a Cisco 800 Series Router.  It probably doesn't matter to you, but they also have a Cisco Catalyst.  Anyhow, I am going to put another computer on their network with an FTP Server program.  I know that I will have to setup port forwarding on the router to point all FTP requests to the computer with the FTP Server installed when they point their browser to ftp://xxx.xxx.xxx.xxx.  I've done this on a Linksys router, but never a Cisco router.  Could anyone please tell me step by step how to do it and maybe any other information that I may need to know?  I appreciate your help!
0
Comment
Question by:ACSNS
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
9 Comments
 
LVL 10

Expert Comment

by:anupnellip
ID: 10970536
first of all you need to have a static IP address assigned by your ISP for this to work . I suppose you r using NAT here .
it is a simple command
Ip nat inside source static ftpserver_IP_address YOUR_PUBLIC_IP ADDRESS

where ftpserver_IP_address is the IP address of the ftp server inside your lan
& YOUR_PUBLIC_IP ADDRESS  is the ip address that clients will be using to access from the internet.

then you need to use access list to restrict access only to ftp .

Please let me know in detail about your network & how it is being connected . Also please post your running config on 800 for more detailed help
0
 
LVL 1

Author Comment

by:ACSNS
ID: 10972226
Thanks for the info so far, I think that will help greatly.  What do you mean by set up access list to restrict only to ftp?  Does this mean when I point the browser to ftp://xxx.xxx.xxx.xxx that only ftp traffic can be allowed through?  What is the command for this, is it access-list 1 permit ftpserver_ip_address 0.0.0.0 ?

I appreciate your help with this...

Thanks,
Andy
0
 
LVL 10

Expert Comment

by:anupnellip
ID: 10976414
when u use the command
Ip nat inside source static ftpserver_IP_address YOUR_PUBLIC_IP ADDRESS

all the ports are opened for your ftp server inside the lan . ie it becomes like a computer on the internet & the NAT protection is no loger there . So all the ports open on your ftp server will be open to the internet . As this is not recomended use an access list to restrict the access only to ftp .

I will give an example .

suppose your ftp server Ip address is 10.0.1.100 & you want to assign it a public ip of 67.1.1.11 ( this should be assigned by your ISP )

use the command

ip nat inside source static 10.0.1.100 67.1.1.11

now create access list

no access-list 101
access-list 101 deny ip host 67.1.1.11 any
access-list 101 permit tcp any any established
access-list 101 permit tcp any host 67.1.1.11 range ftp-data ftp

now apply this access list to your dialer interface .

ip access-group 101 in


Hope this helps


0
Secure Your WordPress Site: 5 Essential Approaches

WordPress is the web's most popular CMS, but its dominance also makes it a target for attackers. Our eBook will show you how to:

Prevent costly exploits of core and plugin vulnerabilities
Repel automated attacks
Lock down your dashboard, secure your code, and protect your users

 
LVL 1

Author Comment

by:ACSNS
ID: 10977610
Ok, all your help has been great, I just want to make sure I have this down before I walk in there, I don't want to look like a huge idiot... haha

Here is the exact command line I should need to type in order to make this happen...

conf t
ip nat inside source static 10.0.1.100 67.1.1.11
no access-list 101
access-list 101 deny ip host 67.1.1.11 any
access-list 101 permit tcp any any established
access-list 101 permit tcp any host 67.1.1.11 range ftp-data ftp
ip access-group 101 in
exit
wr mem

You've been a great help, it'll be my pleasure to award you with these points once we're done here!

Thanks,
Andy
0
 
LVL 1

Author Comment

by:ACSNS
ID: 10978206
Also, I was just talking to my friend who works at an ISP and he was telling me that the following should work... What are your thoughts on this?

conf t
ip nat inside source static tcp 10.0.1.100 21 67.1.1.11 21 extended
exit
wr mem

He said that the access list stuff aren't needed because the first line dictates that it's only for port 21.  Let me know if your way is better, and why.

Thanks again!
Andy
0
 
LVL 10

Accepted Solution

by:
anupnellip earned 500 total points
ID: 10984462
hii ,

your friends suggestion is very much valid & simple .

though my method is more flexible in terms of controlling access . It is always recommended to controls access using access list as later on you can open up more ports according to the need .
 But if you r not comfortable with access list then using the your friends command is the best way to go .

In case you wish to use my method . just make sure u enter interface configuration of the interface before you apply the access list . eg.
config t
interface dialer ( if you r specifying the IP address here . If u r specifying it at the bri interface use interface bri0 )
ip access-group 101 in
0
 
LVL 1

Author Comment

by:ACSNS
ID: 10987686
Thanks for your help!
0
 

Expert Comment

by:stylosoph
ID: 11093861
how to solve the problem, if i've got a dynamic ip?
0
 

Expert Comment

by:quicksmart
ID: 12735704
I have found this thread very useful in configure c827h dsl router lately, and thought i would suggest a possible solution(i believe this will work with any ISDN from the 800 series also)
conf t
ip nat inside source static tcp 10.0.1.100 21 interface Dialer1 21
exit
wr mem
reload

this basically will allow any access to port 21 on the Dialer1 interface(wan port, dsl port, ISDN port as far as i know) to be translated, rather than just limiting translation to requests to the single ip. So if you have a dynamic ip use this version. If you have multiple ip's assigned to your connection its quite a nice feature that you can re-direct port 21 to different machines for each external ip! pretty sweet!
Thanks for asking this question in the first place ACSNS, it's saved my bacon today!
0

Featured Post

MS Dynamics Made Instantly Simpler

Make Your Microsoft Dynamics Investment Count  & Drastically Decrease Training Time by Providing Intuitive Step-By-Step WalkThru Tutorials.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
A 2007 NCSA Cyber Security survey revealed that a mere 4% of the population has a full understanding of firewalls. As business owner, you should be part of that 4% that has a full understanding.
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
Suggested Courses

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question