Solved

Setting up FTP Server through Cisco 800 Series Router

Posted on 2004-05-01
9
3,988 Views
Last Modified: 2013-11-29
Hello All.

I am doing some work for a company as a favor.  They have a network set up already, with ISDN and a Cisco 800 Series Router.  It probably doesn't matter to you, but they also have a Cisco Catalyst.  Anyhow, I am going to put another computer on their network with an FTP Server program.  I know that I will have to setup port forwarding on the router to point all FTP requests to the computer with the FTP Server installed when they point their browser to ftp://xxx.xxx.xxx.xxx.  I've done this on a Linksys router, but never a Cisco router.  Could anyone please tell me step by step how to do it and maybe any other information that I may need to know?  I appreciate your help!
0
Comment
Question by:ACSNS
9 Comments
 
LVL 10

Expert Comment

by:anupnellip
ID: 10970536
first of all you need to have a static IP address assigned by your ISP for this to work . I suppose you r using NAT here .
it is a simple command
Ip nat inside source static ftpserver_IP_address YOUR_PUBLIC_IP ADDRESS

where ftpserver_IP_address is the IP address of the ftp server inside your lan
& YOUR_PUBLIC_IP ADDRESS  is the ip address that clients will be using to access from the internet.

then you need to use access list to restrict access only to ftp .

Please let me know in detail about your network & how it is being connected . Also please post your running config on 800 for more detailed help
0
 
LVL 1

Author Comment

by:ACSNS
ID: 10972226
Thanks for the info so far, I think that will help greatly.  What do you mean by set up access list to restrict only to ftp?  Does this mean when I point the browser to ftp://xxx.xxx.xxx.xxx that only ftp traffic can be allowed through?  What is the command for this, is it access-list 1 permit ftpserver_ip_address 0.0.0.0 ?

I appreciate your help with this...

Thanks,
Andy
0
 
LVL 10

Expert Comment

by:anupnellip
ID: 10976414
when u use the command
Ip nat inside source static ftpserver_IP_address YOUR_PUBLIC_IP ADDRESS

all the ports are opened for your ftp server inside the lan . ie it becomes like a computer on the internet & the NAT protection is no loger there . So all the ports open on your ftp server will be open to the internet . As this is not recomended use an access list to restrict the access only to ftp .

I will give an example .

suppose your ftp server Ip address is 10.0.1.100 & you want to assign it a public ip of 67.1.1.11 ( this should be assigned by your ISP )

use the command

ip nat inside source static 10.0.1.100 67.1.1.11

now create access list

no access-list 101
access-list 101 deny ip host 67.1.1.11 any
access-list 101 permit tcp any any established
access-list 101 permit tcp any host 67.1.1.11 range ftp-data ftp

now apply this access list to your dialer interface .

ip access-group 101 in


Hope this helps


0
 
LVL 1

Author Comment

by:ACSNS
ID: 10977610
Ok, all your help has been great, I just want to make sure I have this down before I walk in there, I don't want to look like a huge idiot... haha

Here is the exact command line I should need to type in order to make this happen...

conf t
ip nat inside source static 10.0.1.100 67.1.1.11
no access-list 101
access-list 101 deny ip host 67.1.1.11 any
access-list 101 permit tcp any any established
access-list 101 permit tcp any host 67.1.1.11 range ftp-data ftp
ip access-group 101 in
exit
wr mem

You've been a great help, it'll be my pleasure to award you with these points once we're done here!

Thanks,
Andy
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 1

Author Comment

by:ACSNS
ID: 10978206
Also, I was just talking to my friend who works at an ISP and he was telling me that the following should work... What are your thoughts on this?

conf t
ip nat inside source static tcp 10.0.1.100 21 67.1.1.11 21 extended
exit
wr mem

He said that the access list stuff aren't needed because the first line dictates that it's only for port 21.  Let me know if your way is better, and why.

Thanks again!
Andy
0
 
LVL 10

Accepted Solution

by:
anupnellip earned 500 total points
ID: 10984462
hii ,

your friends suggestion is very much valid & simple .

though my method is more flexible in terms of controlling access . It is always recommended to controls access using access list as later on you can open up more ports according to the need .
 But if you r not comfortable with access list then using the your friends command is the best way to go .

In case you wish to use my method . just make sure u enter interface configuration of the interface before you apply the access list . eg.
config t
interface dialer ( if you r specifying the IP address here . If u r specifying it at the bri interface use interface bri0 )
ip access-group 101 in
0
 
LVL 1

Author Comment

by:ACSNS
ID: 10987686
Thanks for your help!
0
 

Expert Comment

by:stylosoph
ID: 11093861
how to solve the problem, if i've got a dynamic ip?
0
 

Expert Comment

by:quicksmart
ID: 12735704
I have found this thread very useful in configure c827h dsl router lately, and thought i would suggest a possible solution(i believe this will work with any ISDN from the 800 series also)
conf t
ip nat inside source static tcp 10.0.1.100 21 interface Dialer1 21
exit
wr mem
reload

this basically will allow any access to port 21 on the Dialer1 interface(wan port, dsl port, ISDN port as far as i know) to be translated, rather than just limiting translation to requests to the single ip. So if you have a dynamic ip use this version. If you have multiple ip's assigned to your connection its quite a nice feature that you can re-direct port 21 to different machines for each external ip! pretty sweet!
Thanks for asking this question in the first place ACSNS, it's saved my bacon today!
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

This is the first one of a series of articles I’ll be writing to address technical issues that are always referred to as network problems. The network boundaries have changed, therefore having an understanding of how each piece in the network  puzzl…
Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now