3 FTP Sites (different ports) Behind PAT (Cisco 806)

Hello!

Here's a fun one:

Objective:  Single private LAN segment behind Cisco 806 Soho router with single IP (PATed).  This router is forwarding traffic to an IIS Server that has 3 separate FTP sites using different ports.  Each FTP server points to a different drive letter share for the root directory of the FTP site (respectively).


Problem: Outside FTP clients (one behind Linksys Router - New), they get prompted with inaccessible errors.  Internal clients can connect properly without issue.  I realize that this is probably related to PASV or Active mode FTP.  I have CuteFTP on my outside clients to attempt a pre-PASV mode preference.  But is there something on the server or router (probably router) that needs to happen?

Facts:
*Single Lan Segment (10.1.0.0/16)
*External IP: 1.2.3.4 (example)
*Domain= Windows 2000 Active Directory
*All Hosts under AD administrative control & membership
*PRDFTP01, 10.1.0.200: Internal FTP Server - Windows 2000 Server SP4 with IIS6 (Fully Patched)
*PRDVAULT01: Internal Share Host - Windows XP Pro SP2
*Local Drives to share on PRDVAULT01: C,D,E
*FTP Ports PATed to FTP Server: 5000,5001,5002 TCP.
*IIS FTP Server configured only for the port change.  All other factors are default.
*Service account that allows FTP server to connect to PRDVAULT01 shares is administrative to all servers (for testing right now.)

*806 Configuration:

Current configuration : 3221 bytes                                  
!
! Last configuration change at 02:29:18 CST Sun Mar 26 2006                                                          
! NVRAM config last updated at 14:15:38 CST Wed Mar 22 2006                                                          
!
version 12.2            
no parser cache              
no service single-slot-reload-enable                                    
no service pad              
service timestamps debug u                        
service timestamps log uptime                            
service password-encryption                          
!
hostname REM              
!
logging rate-limit console 10 except errors                                          
logging trap debugging                      
logging facility auth                    
logging 10.1.0.201                  
enable secret 5 REM                                            
!
clock timezone CST -6                    
ip subnet-zero              
ip domain-name REM                        
ip name-server REM                          
ip name-server REM                            
ip name-server REM
ip name-server REM                              
ip name-server REM                          
ip name-server REM                        
!
no ip dhcp-client network-discovery                                  
lcp max-session-starts 0                        
!
!
!
interface Ethernet0                  
 ip address 10.1.0.1 255.255.0.0                                
 ip nat inside              
 ip pim dense-mode                  
!
interface Ethernet1                  
 ip address dhcp                
 ip access-group 161 in                      
 ip access-group 161 out                        
 ip nat outside              
 no cdp enable              
!
ip nat inside source list 102 interface Ethernet1 overload                                                          
ip nat inside source static tcp 10.1.0.200 5003 interface Ethernet1 5003                                                                        
ip nat inside source static tcp 10.1.0.200 5002 interface Ethernet1 5002                                                                        
ip nat inside source static tcp 10.1.0.200 5001 interface Ethernet1 5001                                                                        
ip nat inside source static tcp 10.1.0.200 5000 interface Ethernet1 5000                                                                        
ip nat inside source static tcp 10.1.0.100 3389 interface Ethernet1 65431                                                                        
ip nat inside source static udp 10.1.0.100 3784 interface Ethernet1 3784                                                                        
ip nat inside source static tcp 10.1.0.200 21 interface Ethernet1 21                                                                    
ip nat inside source static tcp 10.1.0.100 3784 interface Ethernet1 3784                                                                        
ip nat inside source static tcp 10.1.160.0 3724 interface Ethernet1 3724 extendable                                                                            
ip nat inside source static tcp 10.1.160.0 6112 interface Ethernet1 6112 extendab                                                                          
ip classless            
no ip http server                
!
access-list 102 permit ip 10.1.0.0 0.0.255.255 any                                                  
access-list 155 permit ip host 10.1.0.28 any                                            
access-list 161 deny udp any any eq snmp                                          
access-list 161 permit ip any any                                
snmp-server community  REM                                  
snmp-server location  REM                              
snmp-server contact  REM                            
banner motd ^C REM ^C
banner prompt-timeout ^CCYour Authentication attempt has timed-out.  Please eith
e
r disconnect or retry authentication.^C
!
line con 0
 exec-timeout 0 0
 password  REM
 logging synchronous
 login
 stopbits 1
line vty 0 4
 exec-timeout 0 0
 password  REM
 logging synchronous
 login
!
scheduler max-task-time 5000
ntp clock-period 17168682
ntp server 204.34.198.40
ntp server 204.34.198.41
end


****


I might be missing some information - please ask questions!   I appreciate any thoughts.  Again, this might be a PASV FTP issue, but how do I resolve it?  That is the meat of this question.

Thanks again!
-Jennifer
jennifer_bormanAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Italia_NYCCommented:
I would almost guarantee your problem is PASV related. I had the same problem, and this is quite common when using FTP sites other than the default port (21).

You have to manually configured PASV ports in IIS; and then open and forward those additional ports to your FTP sites. I have done this successfully.

The article I referenced is here;
http://support.microsoft.com/?id=555022

The important thing to remember after manually setting a small PASV range in IIS, is to open and forward those ports to your FTP sites.


This should fix your problem.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Italia_NYCCommented:
I presume this worked for you?
0
Italia_NYCCommented:
Yes?
0
Italia_NYCCommented:
It Did?
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.