sibon3
asked on
Cisco 1720 no Active FTP with NAT
I have a T1 with 1720 at network edge... users inside the network can access outside servers using Passive FTP but not Active FTP. I believe this is due to NAT, but not sure.
Would adding one or both of these lines fix problem, where should I put it, and what is the difference:
permit tcp any eq ftp
permit tcp any eq ftp-data
Thanks for any help!
Here is my configuration:
!
service timestamps debug uptime
service timestamps log uptime
service password-encryption
no service tcp-small-servers
no service udp-small-servers
!
hostname Mach_1_Router
!
enable password 7 ********
!
no ip name-server
!
ip subnet-zero
no ip domain-lookup
ip routing
!
interface FastEthernet 0
no shutdown
description connected to EthernetLAN
ip address 10.0.0.1 255.255.255.0
ip nat inside
keepalive 10
!
interface Serial 0
no shutdown
description connected to Internet
service-module t1 clock source line
service-module t1 data-coding normal
service-module t1 remote-loopback full
service-module t1 framing esf
service-module t1 linecode b8zs
service-module t1 lbo none
service-module t1 remote-alarm-enable
ip address **.***.***.26 255.255.255.252
ip nat outside
encapsulation ppp
!
! Access Control List 1
!
no access-list 1
access-list 1 permit 10.0.0.0 0.0.0.255
!
! Access Control List 100
!
no access-list 100
access-list 100 permit ip any any
!
! Static NAT
!
ip nat inside source static 10.0.0.1 **.***.5.9
!
! Dynamic NAT
!
ip nat translation timeout 86400
ip nat translation tcp-timeout 86400
ip nat translation udp-timeout 300
ip nat translation dns-timeout 60
ip nat translation finrst-timeout 60
ip nat pool Mach_1_Router-natpool-1 **.***.5.9 **.***.5.14 netmask 255.0.0.0
ip nat inside source list 1 pool Mach_1_Router-natpool-1 overload
!
! DHCP Server
!
service dhcp
ip dhcp pool 1
network 10.0.0.0 255.255.255.0
domain-name mach1wireless.com
default-router 10.0.0.1
dns-server **.***.16.67 **.***.17.71
!
router rip
version 2
network 10.0.0.0
passive-interface Serial 0
no auto-summary
!
!
ip classless
!
! IP Static Routes
ip route 0.0.0.0 0.0.0.0 Serial 0
no ip http server
snmp-server community public RO
snmp-server location *********
snmp-server contact **********
!
line console 0
exec-timeout 0 0
password 7 ********
login
transport input none
!
line vty 0 4
password 7 **********
login
end
Would adding one or both of these lines fix problem, where should I put it, and what is the difference:
permit tcp any eq ftp
permit tcp any eq ftp-data
Thanks for any help!
Here is my configuration:
!
service timestamps debug uptime
service timestamps log uptime
service password-encryption
no service tcp-small-servers
no service udp-small-servers
!
hostname Mach_1_Router
!
enable password 7 ********
!
no ip name-server
!
ip subnet-zero
no ip domain-lookup
ip routing
!
interface FastEthernet 0
no shutdown
description connected to EthernetLAN
ip address 10.0.0.1 255.255.255.0
ip nat inside
keepalive 10
!
interface Serial 0
no shutdown
description connected to Internet
service-module t1 clock source line
service-module t1 data-coding normal
service-module t1 remote-loopback full
service-module t1 framing esf
service-module t1 linecode b8zs
service-module t1 lbo none
service-module t1 remote-alarm-enable
ip address **.***.***.26 255.255.255.252
ip nat outside
encapsulation ppp
!
! Access Control List 1
!
no access-list 1
access-list 1 permit 10.0.0.0 0.0.0.255
!
! Access Control List 100
!
no access-list 100
access-list 100 permit ip any any
!
! Static NAT
!
ip nat inside source static 10.0.0.1 **.***.5.9
!
! Dynamic NAT
!
ip nat translation timeout 86400
ip nat translation tcp-timeout 86400
ip nat translation udp-timeout 300
ip nat translation dns-timeout 60
ip nat translation finrst-timeout 60
ip nat pool Mach_1_Router-natpool-1 **.***.5.9 **.***.5.14 netmask 255.0.0.0
ip nat inside source list 1 pool Mach_1_Router-natpool-1 overload
!
! DHCP Server
!
service dhcp
ip dhcp pool 1
network 10.0.0.0 255.255.255.0
domain-name mach1wireless.com
default-router 10.0.0.1
dns-server **.***.16.67 **.***.17.71
!
router rip
version 2
network 10.0.0.0
passive-interface Serial 0
no auto-summary
!
!
ip classless
!
! IP Static Routes
ip route 0.0.0.0 0.0.0.0 Serial 0
no ip http server
snmp-server community public RO
snmp-server location *********
snmp-server contact **********
!
line console 0
exec-timeout 0 0
password 7 ********
login
transport input none
!
line vty 0 4
password 7 **********
login
end
NAT should not affect Passive FTP. PAT might - I'm not sure.
I agree with NetSpec, a firewall or ACL is more likely to be the culprit. Altho your ACL seems to be fairly permissive.
I agree with NetSpec, a firewall or ACL is more likely to be the culprit. Altho your ACL seems to be fairly permissive.
Your access list isn't applied to an interface anyway, so it doesn;t do anything. The problem is NAT.
Your NAT is translating inside private addresses to ephemeral TCP ports on. the router keeps track of which port and address on the inside is translated to which port on the outside address you configured with your NAT pool. When you use passive FTP, the server on the outside uses the same TCP port that the command came from to send data back. So the router knows that port and sends the data back to your client on the inside.
With active FTP, the server attempts to open a new session TO port 20 on the client. But the server thinks the client address is your outside address. and the router can't translate that back to an inside address.
The only way around this that I can think of is to use static NAT, where each inside address, port 20, is given a specific outside address, port 20, to translate to.
Your NAT is translating inside private addresses to ephemeral TCP ports on. the router keeps track of which port and address on the inside is translated to which port on the outside address you configured with your NAT pool. When you use passive FTP, the server on the outside uses the same TCP port that the command came from to send data back. So the router knows that port and sends the data back to your client on the inside.
With active FTP, the server attempts to open a new session TO port 20 on the client. But the server thinks the client address is your outside address. and the router can't translate that back to an inside address.
The only way around this that I can think of is to use static NAT, where each inside address, port 20, is given a specific outside address, port 20, to translate to.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
> With active FTP, the server attempts to open a new session TO port 20 on the client. But the server thinks the client address is your outside address. and the router
> can't translate that back to an inside address.
Not quite. The server tries to open a connection FROM its port 20 (ftp-data) TO an ephemeral port specified by the client. So two things:
1. If your access-list allows "established", you don't need the "ftp-data" line.
2. The NAT device needs to be aware of FTP, so that when the client nominates an epehemeral port to use, the correct NAT translation is set up. (The NAT device may need to modify this port number if PAT is being done -- which it almost always is.)
Most modern NAT devices are FTP-aware. In IOS, there's a "fixup" command to enable the necessary extra processing; it's probably on by default in recent versions, but perhaps not in older versions. You may need to enable it explicitly.
> can't translate that back to an inside address.
Not quite. The server tries to open a connection FROM its port 20 (ftp-data) TO an ephemeral port specified by the client. So two things:
1. If your access-list allows "established", you don't need the "ftp-data" line.
2. The NAT device needs to be aware of FTP, so that when the client nominates an epehemeral port to use, the correct NAT translation is set up. (The NAT device may need to modify this port number if PAT is being done -- which it almost always is.)
Most modern NAT devices are FTP-aware. In IOS, there's a "fixup" command to enable the necessary extra processing; it's probably on by default in recent versions, but perhaps not in older versions. You may need to enable it explicitly.
Passive FTP was created to deal with firewall issues client side since the source port from the server to the client is port 20 as stated at this site:
http://slacksite.com/other/ftp.html
The only client I know of that doesnt support passive is the default ftp client in windows. Other than that they all support pasive options.
I know it can be a headache because some clients do not connect in all instances.
Lastly, i do not belive there is an ftp fixup in IOS only PIX. A vpn solution then FTPing would be a more secure solution and would allow FTP to work properly.
Cheers!
dan
http://slacksite.com/other/ftp.html
The only client I know of that doesnt support passive is the default ftp client in windows. Other than that they all support pasive options.
I know it can be a headache because some clients do not connect in all instances.
Lastly, i do not belive there is an ftp fixup in IOS only PIX. A vpn solution then FTPing would be a more secure solution and would allow FTP to work properly.
Cheers!
dan
PennGwyn is right, it's FROM port 20 on the server to the client. But it is a new session, not an established one regardless of the destination port being used- because it's from a new port. It still has to send do the TCP handshake. So you DO need the ftp-data line. We had this issue recently when someone removed the ftp-data line from an internal access list we use here. and we are using IOS 12.2.
What you can do is to use the Firewall Feature Set version of IOS, which will support dynamically allowing inbound ports as needed. In this version, NAT should be able to figure out what's needed and automatically create the correct inbound translation.
What you can do is to use the Firewall Feature Set version of IOS, which will support dynamically allowing inbound ports as needed. In this version, NAT should be able to figure out what's needed and automatically create the correct inbound translation.
Read this link from Cisco, as it explains what your problem is, and gives a solution as well.
http://www.cisco.com/en/US/products/hw/routers/ps4081/products_tech_note09186a00800947f8.shtml
Also these links may help too as they give details on configuring NAT, and info on debugging it.
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094e77.shtml#topic5
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094c32.shtml
http://www.cisco.com/en/US/products/hw/routers/ps4081/products_tech_note09186a00800947f8.shtml
Also these links may help too as they give details on configuring NAT, and info on debugging it.
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094e77.shtml#topic5
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094c32.shtml
Is there a firewall? This might be the source of the problem where it only is allowing port 21.