ACSNS
asked on
Setting up FTP Server through Cisco 800 Series Router
Hello All.
I am doing some work for a company as a favor. They have a network set up already, with ISDN and a Cisco 800 Series Router. It probably doesn't matter to you, but they also have a Cisco Catalyst. Anyhow, I am going to put another computer on their network with an FTP Server program. I know that I will have to setup port forwarding on the router to point all FTP requests to the computer with the FTP Server installed when they point their browser to ftp://xxx.xxx.xxx.xxx. I've done this on a Linksys router, but never a Cisco router. Could anyone please tell me step by step how to do it and maybe any other information that I may need to know? I appreciate your help!
I am doing some work for a company as a favor. They have a network set up already, with ISDN and a Cisco 800 Series Router. It probably doesn't matter to you, but they also have a Cisco Catalyst. Anyhow, I am going to put another computer on their network with an FTP Server program. I know that I will have to setup port forwarding on the router to point all FTP requests to the computer with the FTP Server installed when they point their browser to ftp://xxx.xxx.xxx.xxx. I've done this on a Linksys router, but never a Cisco router. Could anyone please tell me step by step how to do it and maybe any other information that I may need to know? I appreciate your help!
ASKER
Thanks for the info so far, I think that will help greatly. What do you mean by set up access list to restrict only to ftp? Does this mean when I point the browser to ftp://xxx.xxx.xxx.xxx that only ftp traffic can be allowed through? What is the command for this, is it access-list 1 permit ftpserver_ip_address 0.0.0.0 ?
I appreciate your help with this...
Thanks,
Andy
I appreciate your help with this...
Thanks,
Andy
when u use the command
Ip nat inside source static ftpserver_IP_address YOUR_PUBLIC_IP ADDRESS
all the ports are opened for your ftp server inside the lan . ie it becomes like a computer on the internet & the NAT protection is no loger there . So all the ports open on your ftp server will be open to the internet . As this is not recomended use an access list to restrict the access only to ftp .
I will give an example .
suppose your ftp server Ip address is 10.0.1.100 & you want to assign it a public ip of 67.1.1.11 ( this should be assigned by your ISP )
use the command
ip nat inside source static 10.0.1.100 67.1.1.11
now create access list
no access-list 101
access-list 101 deny ip host 67.1.1.11 any
access-list 101 permit tcp any any established
access-list 101 permit tcp any host 67.1.1.11 range ftp-data ftp
now apply this access list to your dialer interface .
ip access-group 101 in
Hope this helps
Ip nat inside source static ftpserver_IP_address YOUR_PUBLIC_IP ADDRESS
all the ports are opened for your ftp server inside the lan . ie it becomes like a computer on the internet & the NAT protection is no loger there . So all the ports open on your ftp server will be open to the internet . As this is not recomended use an access list to restrict the access only to ftp .
I will give an example .
suppose your ftp server Ip address is 10.0.1.100 & you want to assign it a public ip of 67.1.1.11 ( this should be assigned by your ISP )
use the command
ip nat inside source static 10.0.1.100 67.1.1.11
now create access list
no access-list 101
access-list 101 deny ip host 67.1.1.11 any
access-list 101 permit tcp any any established
access-list 101 permit tcp any host 67.1.1.11 range ftp-data ftp
now apply this access list to your dialer interface .
ip access-group 101 in
Hope this helps
ASKER
Ok, all your help has been great, I just want to make sure I have this down before I walk in there, I don't want to look like a huge idiot... haha
Here is the exact command line I should need to type in order to make this happen...
conf t
ip nat inside source static 10.0.1.100 67.1.1.11
no access-list 101
access-list 101 deny ip host 67.1.1.11 any
access-list 101 permit tcp any any established
access-list 101 permit tcp any host 67.1.1.11 range ftp-data ftp
ip access-group 101 in
exit
wr mem
You've been a great help, it'll be my pleasure to award you with these points once we're done here!
Thanks,
Andy
Here is the exact command line I should need to type in order to make this happen...
conf t
ip nat inside source static 10.0.1.100 67.1.1.11
no access-list 101
access-list 101 deny ip host 67.1.1.11 any
access-list 101 permit tcp any any established
access-list 101 permit tcp any host 67.1.1.11 range ftp-data ftp
ip access-group 101 in
exit
wr mem
You've been a great help, it'll be my pleasure to award you with these points once we're done here!
Thanks,
Andy
ASKER
Also, I was just talking to my friend who works at an ISP and he was telling me that the following should work... What are your thoughts on this?
conf t
ip nat inside source static tcp 10.0.1.100 21 67.1.1.11 21 extended
exit
wr mem
He said that the access list stuff aren't needed because the first line dictates that it's only for port 21. Let me know if your way is better, and why.
Thanks again!
Andy
conf t
ip nat inside source static tcp 10.0.1.100 21 67.1.1.11 21 extended
exit
wr mem
He said that the access list stuff aren't needed because the first line dictates that it's only for port 21. Let me know if your way is better, and why.
Thanks again!
Andy
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for your help!
how to solve the problem, if i've got a dynamic ip?
I have found this thread very useful in configure c827h dsl router lately, and thought i would suggest a possible solution(i believe this will work with any ISDN from the 800 series also)
conf t
ip nat inside source static tcp 10.0.1.100 21 interface Dialer1 21
exit
wr mem
reload
this basically will allow any access to port 21 on the Dialer1 interface(wan port, dsl port, ISDN port as far as i know) to be translated, rather than just limiting translation to requests to the single ip. So if you have a dynamic ip use this version. If you have multiple ip's assigned to your connection its quite a nice feature that you can re-direct port 21 to different machines for each external ip! pretty sweet!
Thanks for asking this question in the first place ACSNS, it's saved my bacon today!
conf t
ip nat inside source static tcp 10.0.1.100 21 interface Dialer1 21
exit
wr mem
reload
this basically will allow any access to port 21 on the Dialer1 interface(wan port, dsl port, ISDN port as far as i know) to be translated, rather than just limiting translation to requests to the single ip. So if you have a dynamic ip use this version. If you have multiple ip's assigned to your connection its quite a nice feature that you can re-direct port 21 to different machines for each external ip! pretty sweet!
Thanks for asking this question in the first place ACSNS, it's saved my bacon today!
it is a simple command
Ip nat inside source static ftpserver_IP_address YOUR_PUBLIC_IP ADDRESS
where ftpserver_IP_address is the IP address of the ftp server inside your lan
& YOUR_PUBLIC_IP ADDRESS is the ip address that clients will be using to access from the internet.
then you need to use access list to restrict access only to ftp .
Please let me know in detail about your network & how it is being connected . Also please post your running config on 800 for more detailed help