jennifer_borman
asked on
3 FTP Sites (different ports) Behind PAT (Cisco 806)
Hello!
Here's a fun one:
Objective: Single private LAN segment behind Cisco 806 Soho router with single IP (PATed). This router is forwarding traffic to an IIS Server that has 3 separate FTP sites using different ports. Each FTP server points to a different drive letter share for the root directory of the FTP site (respectively).
Problem: Outside FTP clients (one behind Linksys Router - New), they get prompted with inaccessible errors. Internal clients can connect properly without issue. I realize that this is probably related to PASV or Active mode FTP. I have CuteFTP on my outside clients to attempt a pre-PASV mode preference. But is there something on the server or router (probably router) that needs to happen?
Facts:
*Single Lan Segment (10.1.0.0/16)
*External IP: 1.2.3.4 (example)
*Domain= Windows 2000 Active Directory
*All Hosts under AD administrative control & membership
*PRDFTP01, 10.1.0.200: Internal FTP Server - Windows 2000 Server SP4 with IIS6 (Fully Patched)
*PRDVAULT01: Internal Share Host - Windows XP Pro SP2
*Local Drives to share on PRDVAULT01: C,D,E
*FTP Ports PATed to FTP Server: 5000,5001,5002 TCP.
*IIS FTP Server configured only for the port change. All other factors are default.
*Service account that allows FTP server to connect to PRDVAULT01 shares is administrative to all servers (for testing right now.)
*806 Configuration:
Current configuration : 3221 bytes
!
! Last configuration change at 02:29:18 CST Sun Mar 26 2006
! NVRAM config last updated at 14:15:38 CST Wed Mar 22 2006
!
version 12.2
no parser cache
no service single-slot-reload-enable
no service pad
service timestamps debug u
service timestamps log uptime
service password-encryption
!
hostname REM
!
logging rate-limit console 10 except errors
logging trap debugging
logging facility auth
logging 10.1.0.201
enable secret 5 REM
!
clock timezone CST -6
ip subnet-zero
ip domain-name REM
ip name-server REM
ip name-server REM
ip name-server REM
ip name-server REM
ip name-server REM
ip name-server REM
!
no ip dhcp-client network-discovery
lcp max-session-starts 0
!
!
!
interface Ethernet0
ip address 10.1.0.1 255.255.0.0
ip nat inside
ip pim dense-mode
!
interface Ethernet1
ip address dhcp
ip access-group 161 in
ip access-group 161 out
ip nat outside
no cdp enable
!
ip nat inside source list 102 interface Ethernet1 overload
ip nat inside source static tcp 10.1.0.200 5003 interface Ethernet1 5003
ip nat inside source static tcp 10.1.0.200 5002 interface Ethernet1 5002
ip nat inside source static tcp 10.1.0.200 5001 interface Ethernet1 5001
ip nat inside source static tcp 10.1.0.200 5000 interface Ethernet1 5000
ip nat inside source static tcp 10.1.0.100 3389 interface Ethernet1 65431
ip nat inside source static udp 10.1.0.100 3784 interface Ethernet1 3784
ip nat inside source static tcp 10.1.0.200 21 interface Ethernet1 21
ip nat inside source static tcp 10.1.0.100 3784 interface Ethernet1 3784
ip nat inside source static tcp 10.1.160.0 3724 interface Ethernet1 3724 extendable
ip nat inside source static tcp 10.1.160.0 6112 interface Ethernet1 6112 extendab
ip classless
no ip http server
!
access-list 102 permit ip 10.1.0.0 0.0.255.255 any
access-list 155 permit ip host 10.1.0.28 any
access-list 161 deny udp any any eq snmp
access-list 161 permit ip any any
snmp-server community REM
snmp-server location REM
snmp-server contact REM
banner motd ^C REM ^C
banner prompt-timeout ^CCYour Authentication attempt has timed-out. Please eith
e
r disconnect or retry authentication.^C
!
line con 0
exec-timeout 0 0
password REM
logging synchronous
login
stopbits 1
line vty 0 4
exec-timeout 0 0
password REM
logging synchronous
login
!
scheduler max-task-time 5000
ntp clock-period 17168682
ntp server 204.34.198.40
ntp server 204.34.198.41
end
****
I might be missing some information - please ask questions! I appreciate any thoughts. Again, this might be a PASV FTP issue, but how do I resolve it? That is the meat of this question.
Thanks again!
-Jennifer
Here's a fun one:
Objective: Single private LAN segment behind Cisco 806 Soho router with single IP (PATed). This router is forwarding traffic to an IIS Server that has 3 separate FTP sites using different ports. Each FTP server points to a different drive letter share for the root directory of the FTP site (respectively).
Problem: Outside FTP clients (one behind Linksys Router - New), they get prompted with inaccessible errors. Internal clients can connect properly without issue. I realize that this is probably related to PASV or Active mode FTP. I have CuteFTP on my outside clients to attempt a pre-PASV mode preference. But is there something on the server or router (probably router) that needs to happen?
Facts:
*Single Lan Segment (10.1.0.0/16)
*External IP: 1.2.3.4 (example)
*Domain= Windows 2000 Active Directory
*All Hosts under AD administrative control & membership
*PRDFTP01, 10.1.0.200: Internal FTP Server - Windows 2000 Server SP4 with IIS6 (Fully Patched)
*PRDVAULT01: Internal Share Host - Windows XP Pro SP2
*Local Drives to share on PRDVAULT01: C,D,E
*FTP Ports PATed to FTP Server: 5000,5001,5002 TCP.
*IIS FTP Server configured only for the port change. All other factors are default.
*Service account that allows FTP server to connect to PRDVAULT01 shares is administrative to all servers (for testing right now.)
*806 Configuration:
Current configuration : 3221 bytes
!
! Last configuration change at 02:29:18 CST Sun Mar 26 2006
! NVRAM config last updated at 14:15:38 CST Wed Mar 22 2006
!
version 12.2
no parser cache
no service single-slot-reload-enable
no service pad
service timestamps debug u
service timestamps log uptime
service password-encryption
!
hostname REM
!
logging rate-limit console 10 except errors
logging trap debugging
logging facility auth
logging 10.1.0.201
enable secret 5 REM
!
clock timezone CST -6
ip subnet-zero
ip domain-name REM
ip name-server REM
ip name-server REM
ip name-server REM
ip name-server REM
ip name-server REM
ip name-server REM
!
no ip dhcp-client network-discovery
lcp max-session-starts 0
!
!
!
interface Ethernet0
ip address 10.1.0.1 255.255.0.0
ip nat inside
ip pim dense-mode
!
interface Ethernet1
ip address dhcp
ip access-group 161 in
ip access-group 161 out
ip nat outside
no cdp enable
!
ip nat inside source list 102 interface Ethernet1 overload
ip nat inside source static tcp 10.1.0.200 5003 interface Ethernet1 5003
ip nat inside source static tcp 10.1.0.200 5002 interface Ethernet1 5002
ip nat inside source static tcp 10.1.0.200 5001 interface Ethernet1 5001
ip nat inside source static tcp 10.1.0.200 5000 interface Ethernet1 5000
ip nat inside source static tcp 10.1.0.100 3389 interface Ethernet1 65431
ip nat inside source static udp 10.1.0.100 3784 interface Ethernet1 3784
ip nat inside source static tcp 10.1.0.200 21 interface Ethernet1 21
ip nat inside source static tcp 10.1.0.100 3784 interface Ethernet1 3784
ip nat inside source static tcp 10.1.160.0 3724 interface Ethernet1 3724 extendable
ip nat inside source static tcp 10.1.160.0 6112 interface Ethernet1 6112 extendab
ip classless
no ip http server
!
access-list 102 permit ip 10.1.0.0 0.0.255.255 any
access-list 155 permit ip host 10.1.0.28 any
access-list 161 deny udp any any eq snmp
access-list 161 permit ip any any
snmp-server community REM
snmp-server location REM
snmp-server contact REM
banner motd ^C REM ^C
banner prompt-timeout ^CCYour Authentication attempt has timed-out. Please eith
e
r disconnect or retry authentication.^C
!
line con 0
exec-timeout 0 0
password REM
logging synchronous
login
stopbits 1
line vty 0 4
exec-timeout 0 0
password REM
logging synchronous
login
!
scheduler max-task-time 5000
ntp clock-period 17168682
ntp server 204.34.198.40
ntp server 204.34.198.41
end
****
I might be missing some information - please ask questions! I appreciate any thoughts. Again, this might be a PASV FTP issue, but how do I resolve it? That is the meat of this question.
Thanks again!
-Jennifer
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Italia_NYC
I presume this worked for you?
Yes?
It Did?