Solved

Cisco 1720 no Active FTP with NAT

Posted on 2004-09-20
8
1,409 Views
Last Modified: 2008-03-04
I have a T1 with 1720 at network edge... users inside the network can access outside servers using Passive FTP but not Active FTP. I believe this is due to NAT, but not sure.

Would adding one or both of these lines fix problem, where should I put it, and what is the difference:

permit tcp any eq ftp
permit tcp any eq ftp-data

Thanks for any help!

Here is my configuration:

!
service timestamps debug uptime
service timestamps log uptime
service password-encryption
no service tcp-small-servers
no service udp-small-servers
!
hostname Mach_1_Router
!
enable password 7 ********
!
no ip name-server
!
ip subnet-zero
no ip domain-lookup
ip routing
!
interface FastEthernet 0
 no shutdown
 description connected to EthernetLAN
 ip address 10.0.0.1 255.255.255.0
 ip nat inside
 keepalive 10
!
interface Serial 0
 no shutdown
 description connected to Internet
 service-module t1 clock source line
 service-module t1 data-coding normal
 service-module t1 remote-loopback full
 service-module t1 framing esf
 service-module t1 linecode b8zs
 service-module t1 lbo none
 service-module t1 remote-alarm-enable
 ip address **.***.***.26 255.255.255.252
 ip nat outside
 encapsulation ppp
!
! Access Control List 1
!
no access-list 1
access-list 1 permit 10.0.0.0 0.0.0.255
!
! Access Control List 100
!
no access-list 100
access-list 100 permit ip any any
!
! Static NAT
!
ip nat inside source static 10.0.0.1 **.***.5.9
!
! Dynamic NAT
!
ip nat translation timeout 86400
ip nat translation tcp-timeout 86400
ip nat translation udp-timeout 300
ip nat translation dns-timeout 60
ip nat translation finrst-timeout 60
ip nat pool Mach_1_Router-natpool-1 **.***.5.9 **.***.5.14 netmask 255.0.0.0
ip nat inside source list 1 pool Mach_1_Router-natpool-1 overload
!
! DHCP Server
!
service dhcp
ip dhcp pool 1
 network 10.0.0.0 255.255.255.0
 domain-name mach1wireless.com
 default-router 10.0.0.1
 dns-server **.***.16.67 **.***.17.71
!
router rip
 version 2
 network 10.0.0.0
 passive-interface Serial 0
 no auto-summary
!
!
ip classless
!
! IP Static Routes
ip route 0.0.0.0 0.0.0.0 Serial 0
no ip http server
snmp-server community public RO
snmp-server location *********
snmp-server contact **********
!
line console 0
 exec-timeout 0 0
 password 7 ********
 login
 transport input none
!
line vty 0 4
 password 7 **********
 login

end
0
Comment
Question by:sibon3
8 Comments
 
LVL 5

Expert Comment

by:netspec01
ID: 12203140
As long as you don't block ports 20 & 21 outbound with access lists , you should be able to do FTP outside your router.  You do not have to allow port 20 & 21 back into your network to be able to FTP to a server on the Internet.

Is there a firewall?  This might be the source of the problem where it only is allowing port 21.
0
 
LVL 34

Expert Comment

by:PsiCop
ID: 12203282
NAT should not affect Passive FTP. PAT might - I'm not sure.

I agree with NetSpec, a firewall or ACL is more likely to be the culprit. Altho your ACL seems to be fairly permissive.
0
 
LVL 28

Expert Comment

by:mikebernhardt
ID: 12204258
Your access list isn't applied to an interface anyway, so it doesn;t do anything. The problem is NAT.

Your NAT is translating inside private addresses to ephemeral TCP ports on. the router keeps track of which port and address on the inside is translated to which port on the outside address you configured with your NAT pool. When you use passive FTP, the server on the outside uses the same TCP port that the command came from to send data back. So the router knows that port and sends the data back to your client on the inside.

With active FTP, the server attempts to open a new session TO port 20 on the client. But the server thinks the client address is your outside address. and the router can't translate that back to an inside address.

The only way around this that I can think of  is to use static NAT, where each inside address, port 20, is given a specific outside address, port 20, to translate to.
0
 
LVL 28

Accepted Solution

by:
mikebernhardt earned 500 total points
ID: 12204328
Oh- and to answer the question about the ACL:
permit tcp any eq ftp
permit tcp any eq ftp-data

First, in an inbound access list they would have to be
permit tcp any any eq ftp
permit tcp any eq ftp-data any

You have to specify the source and destination in an extended access list. As I said earlier, ftp-data is the data channel in active FTP (port 20), while ftp is the control channel (port 21). The server sets up a connection to the client's port 20. So an inbound access list has to allow port 20 in from the outside world.
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 11

Expert Comment

by:PennGwyn
ID: 12209340
> With active FTP, the server attempts to open a new session TO port 20 on the client. But the server thinks the client address is your outside address. and the router
> can't translate that back to an inside address.

Not quite.  The server tries to open a connection FROM its port 20 (ftp-data) TO an ephemeral port specified by the client.  So two things:

1. If your access-list allows "established", you don't need the "ftp-data" line.

2. The NAT device needs to be aware of FTP, so that when the client nominates an epehemeral port to use, the correct NAT translation is set up.  (The NAT device may need to modify this port number if PAT is being done -- which it almost always is.)

Most modern NAT devices are FTP-aware.  In IOS, there's a "fixup" command to enable the necessary extra processing; it's probably on by default in recent versions, but perhaps not in older versions.  You may need to enable it explicitly.



0
 
LVL 2

Expert Comment

by:peteysa
ID: 12209955
Passive FTP was created to deal with firewall issues client side since the source port from the server to the client is port 20 as stated at this site:

http://slacksite.com/other/ftp.html

The only client I know of that doesnt support passive is the default ftp client in windows.  Other than that they all support pasive options.

I know it can be a headache because some clients do not connect in all instances.  

Lastly,  i do not belive there is an ftp fixup in IOS only PIX.  A vpn solution then FTPing would be a more secure solution and would allow FTP to work properly.

Cheers!

dan
0
 
LVL 28

Expert Comment

by:mikebernhardt
ID: 12218724
PennGwyn is right, it's FROM port 20 on the server to the client. But it is a new session, not an established one regardless of the destination port being used- because it's from a new port. It still has to send do the TCP handshake. So you DO need the ftp-data line. We had this issue recently when someone removed the ftp-data line from an internal access list we use here. and we are using IOS 12.2.

What you can do is to use the Firewall Feature Set version of IOS, which will support dynamically allowing inbound ports as needed. In this version, NAT should be able to figure out what's needed and automatically create the correct inbound translation.
0
 
LVL 13

Expert Comment

by:Dr-IP
ID: 12223158
Read this link from Cisco, as it explains what your problem is, and gives a solution as well.  

http://www.cisco.com/en/US/products/hw/routers/ps4081/products_tech_note09186a00800947f8.shtml

Also these links may help too as they give details on configuring NAT, and info on debugging it.

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094e77.shtml#topic5

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094c32.shtml

0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now