?
Solved

ftp connection problem with cisco router

Posted on 2007-08-08
13
Medium Priority
?
6,231 Views
Last Modified: 2013-11-29
Hello,

I have the following problem with a cisco router and a ftp site.
I am able to connect to the ftp site (ftp using the command line) through the internet, ip address 126.126.126.1 (internal 192.192.100.11) in the following configuration, and I can do a ls and I can retrieve files from the ftp site. So all looks good.

But when I open a ftp session from a vb.net program, using ecf32 from marshalsoft, I can not retrieve files from the site. I can logon, but when I try to retrieve data from the

server I get a timeout. When I delete the 'ip access-group 111 in' from the dialer1 all works well. So the problem lies in access-list 111, but I can't find it.

Maybe someone can help me ?


Here's the configuration :


User Access Verification

Password:
routeradsl>en
Password:
routeradsl#wr t
Building configuration...

Current configuration : 7150 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname routeradsl
!
logging buffered 50000 debugging
enable secret    abcd123
enable password  abcd123
!
username username password password

memory-size iomem 25
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
!
!
no ip domain-lookup
ip domain-name router.nl
ip name-server 123.118.1.11
!
ip inspect audit-trail
ip inspect max-incomplete high 1100
ip inspect one-minute high 1100
ip inspect name binnen udp
ip inspect name binnen cuseeme
ip inspect name binnen h323
ip inspect name binnen rcmd
ip inspect name binnen realaudio
ip inspect name binnen streamworks
ip inspect name binnen vdolive
ip inspect name binnen sqlnet
ip inspect name binnen tftp
ip inspect name binnen netshow
ip inspect name binnen fragment maximum 256 timeout 1
ip inspect name binnen http
ip audit notify log
ip audit po max-events 100
ip cef
ip ssh time-out 60
vpdn enable
!
vpdn-group 1
! Default PPTP VPDN group
 accept-dialin
  protocol pptp
  virtual-template 1
!
vpdn-group pppoe
!
!
crypto isakmp policy 10
 hash md5
 authentication pre-share
crypto isakmp key router&$usa address 123.123.123.1
crypto isakmp key router&$nie address 124.124.124.1
crypto isakmp key router&$DE address 125.125.125.1
!
!
crypto ipsec transform-set usa esp-des esp-md5-hmac
crypto ipsec transform-set nieuwegein esp-des esp-md5-hmac
crypto ipsec transform-set routerde esp-des esp-md5-hmac
!
crypto map cisco local-address Dialer1
crypto map cisco 10 ipsec-isakmp
 set peer 123.123.123.1
 set transform-set usa
 match address 121
crypto map cisco 20 ipsec-isakmp
 set peer 124.124.124.1
 set transform-set nieuwegein
 match address 122
crypto map cisco 30 ipsec-isakmp
 set peer 125.125.125.1
 set transform-set routerde
 match address 123
!
!
!
!
interface ATM0/0
 no ip address
 no ip mroute-cache
 no atm ilmi-keepalive
 pvc 0 1/20
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
 dsl operating-mode auto
 no fair-queue
 crypto map cisco
 hold-queue 224 in
!
interface FastEthernet0/0
 ip address 192.192.100.253 255.255.255.0
 ip access-group 120 in
 ip accounting access-violations
 ip nat inside
 ip tcp adjust-mss 1452
 no ip mroute-cache
 no keepalive
 speed auto
 half-duplex
 no cdp enable
!
interface Virtual-Template1
 ip unnumbered FastEthernet0/0
 no keepalive
 peer default ip address pool vpdnpool
 ppp encrypt mppe auto
 ppp authentication ms-chap pap chap
 crypto map cisco
!
interface Dialer1
 ip address negotiated
 no ip unreachables
 ip access-group 111 in
 ip accounting access-violations
 ip mtu 1492
 ip nat outside
 encapsulation ppp
 no ip mroute-cache
 dialer pool 1
 dialer-group 1
 ppp authentication pap chap callin
 ppp chap hostname routeradsl
 ppp chap password hello
 ppp pap sent-username routeradsl password hello
 ppp ipcp dns accept
 crypto map cisco
!
ip local pool vpdnpool 172.16.102.1 172.16.102.254
ip nat inside source route-map nonat interface Dialer1 overload
ip nat inside source static tcp 192.192.100.130 443 126.126.126.1 443 extendable
ip nat inside source static tcp 192.192.100.11 21 126.126.126.1 21 extendable
ip nat inside source static tcp 192.192.100.11 20 126.126.126.1 20 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
no ip http server
ip pim bidir-enable
!
!
access-list 2 permit 192.192.100.0 0.0.0.255
access-list 23 permit 192.192.100.0 0.0.0.255
access-list 23 permit 192.192.110.0 0.0.0.255
access-list 23 permit 172.16.102.0 0.0.0.255
access-list 101 permit ip host 192.192.100.130 any
access-list 101 permit udp any eq isakmp host 126.126.126.1 eq isakmp
access-list 101 permit esp any host 126.126.126.1
access-list 101 permit ahp any host 126.126.126.1
access-list 101 permit gre any host 126.126.126.1
access-list 101 permit tcp any host 126.126.126.1 eq 1723
access-list 101 permit ip host 125.125.125.1 any
access-list 101 permit tcp any any eq telnet
access-list 103 deny   ip 192.192.100.0 0.0.0.255 192.192.100.0 0.0.0.255
access-list 103 deny   ip 192.192.100.0 0.0.0.255 192.192.90.0 0.0.0.255
access-list 103 deny   ip 192.192.100.0 0.0.0.255 192.192.110.0 0.0.0.255
access-list 103 permit ip 192.192.100.0 0.0.0.255 any
access-list 110 permit ip 192.192.100.0 0.0.0.255 any
access-list 110 deny   ip 192.192.100.0 0.0.0.255 192.192.100.0 0.0.0.255
access-list 110 deny   ip 192.192.100.0 0.0.0.255 192.192.90.0 0.0.0.255
access-list 110 deny   ip 192.192.100.0 0.0.0.255 192.192.110.0 0.0.0.255
access-list 111 permit ip host 125.125.125.1 any
access-list 111 permit ip host 124.124.124.1 any
access-list 111 permit ip 192.192.110.0 0.0.0.255 any
access-list 111 permit ip 10.0.10.0 0.0.0.255 192.192.100.0 0.0.0.255
access-list 111 permit ip 10.11.1.0 0.0.0.255 192.192.100.0 0.0.0.255
access-list 111 permit ip 192.192.110.0 0.0.0.255 192.192.100.0 0.0.0.255
access-list 111 permit ip 192.192.90.0 0.0.0.255 192.192.100.0 0.0.0.255
access-list 111 permit tcp any any range ftp-data ftp
access-list 111 permit tcp any any eq telnet
access-list 111 permit icmp any any administratively-prohibited
access-list 111 permit icmp any any echo
access-list 111 permit icmp any any echo-reply
access-list 111 permit icmp any any packet-too-big
access-list 111 permit icmp any any time-exceeded
access-list 111 permit icmp any any traceroute
access-list 111 permit icmp any any unreachable
access-list 111 permit udp any eq bootps any eq bootpc
access-list 111 permit udp any eq bootps any eq bootps
access-list 111 permit udp any eq domain any
access-list 111 permit esp any any
access-list 111 permit udp any any eq isakmp
access-list 111 permit udp any any eq 10000
access-list 111 permit tcp any any eq 1723
access-list 111 permit tcp any any eq 139
access-list 111 permit udp any any eq netbios-ns
access-list 111 permit gre any any
access-list 111 permit udp any any eq netbios-dgm
access-list 111 deny   ip any any log
access-list 120 permit ip 192.192.100.0 0.0.0.255 any
access-list 120 deny   ip any any log
access-list 121 permit ip 192.192.100.0 0.0.0.255 192.192.100.0 0.0.0.255
access-list 122 permit ip 192.192.100.0 0.0.0.255 192.192.90.0 0.0.0.255
access-list 123 permit ip 192.192.100.0 0.0.0.255 192.192.110.0 0.0.0.255
dialer-list 1 protocol ip permit
!
route-map nonat permit 10
 match ip address 103
!
!
line con 0
line aux 0
line vty 0 4
 access-class 23 in
 password hello
 login
 transport input telnet
!
end

0
Comment
Question by:CLEARPATH
  • 5
  • 4
  • 4
13 Comments
 
LVL 29

Expert Comment

by:Jan Springer
ID: 19655354
Are you using a passive or active connection in your ftp client?
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 19656403
>>access-list 111 permit tcp any any range ftp-data ftp

Can you tryremoving the line above and instead use the one below ?

access-list 111 permit tcp any any eq ftp

Cheers,
Rajesh
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 19656607
Actually he'll need both if he's doing active ftp.

If he can connect, he's hitting port 21.  If he can list the directory contents he's either initiating the data channel or the data channel initiated by the server is passing through the firewall.

I believe that the firewall should log any denies, can you do a "show log | i ftp.server.ip.addr" (no quotes)?
0
Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

 

Author Comment

by:CLEARPATH
ID: 19668274
Sorry for the delay, I was out of town for my work.

This is a sh log for my own ip adres <my ip>. It is a passive connection. I get a greeting message from the server, but when the ftp program tries to copy a file I get a timeout error.

routeradsl#sh log | include <my ip>
6d22h: %SEC-6-IPACCESSLOGP: list 111 denied tcp <my ip>(1222) -> 126.126.126.1(60937), 1 packet
6d22h: %SEC-6-IPACCESSLOGP: list 111 denied tcp <my ip>(1223) -> 126.126.126.1(60944), 1 packet
6d22h: %SEC-6-IPACCESSLOGP: list 111 denied tcp <my ip>(1223) -> 126.126.126.1(60944), 2 packets
6d22h: %SEC-6-IPACCESSLOGP: list 111 denied tcp <my ip>(1222) -> 126.126.126.1(60937), 2 packets
6d22h: %SEC-6-IPACCESSLOGP: list 111 denied tcp <my ip>(1239) -> 126.126.126.1(61045), 1 packet
6d22h: %SEC-6-IPACCESSLOGP: list 111 denied tcp <my ip>(1254) -> 126.126.126.1(61068), 1 packet
6d22h: %SEC-6-IPACCESSLOGP: list 111 denied tcp <my ip>(1255) -> 126.126.126.1(61069), 1 packet
6d23h: %SEC-6-IPACCESSLOGP: list 111 denied tcp <my ip>(1239) -> 126.126.126.1(61045), 2 packets
routeradsl#

Could it be a nat/pat problem ? I shoul expect to see something on port 20/21 on 126.126.126.1 instead of those high numbers.

0
 
LVL 29

Accepted Solution

by:
Jan Springer earned 1000 total points
ID: 19669482
If you were using active ftp, your access list would work for you.

With active ftp, the data channel is established by the ftp server on port 20.

With passive ftp, the data channel is established by the client on a port > 1024 to a port > 1024 on the server.

So, if you're going to to passive ftp, either update the access-list for ftp or permit established connections.

! first line of acl permits connections established from the inside (preferred)
access-list 111 permit tcp any <your_net> <your_mask> established

!or allow passive ftp and restrict by host (not preferred)
access-list 111 permit tcp host 126.126.126.1 any range 1025 65536

Or, change to active ftp.
0
 
LVL 32

Assisted Solution

by:rsivanandan
rsivanandan earned 1000 total points
ID: 19671256
access-list 111 permit tcp any any eq ftp
access-list 111 permit tcp any <FTP_Server_IP> gt 1024

If you add the above access-list entries, it should solve the issue.

Note the first acl is 'any', 'any' so that it can connect to both active and passive ftp servers.

The second one has specifically mentioned ftp server address so that you allow the ports greater than 1024 for bring the data in.

Cheers,
Rajesh

0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 19671347
This access-list is incoming on the dialer interface.  If he needs to test for the ftp server IP, it has to come first.

If you fix rsivanandan's access-list to allow 1025-65536 range from the ftp server to any port, you set yourself up with allowing low port access which is not something that I would recommend.
0
 

Author Comment

by:CLEARPATH
ID: 19671863
I've tried 'access-list 111 permit tcp any <your_net> <your_mask> established'
but then I need to know the ip address of everyone who wants to make a connection, and that is not an option.
When I put 'access-list 111 permit tcp any 126.126.126.1 gt 1024' it works, but we like to close as many ports as possible.

So I am going to try to open an active connection, but that wil be Monday before I can test that.
( The weekend has already started here ! )

So far thank you both for your help, I'll get back to you on Monday.

0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 19675008
Yes that is the tradeoff you need to do with passive ftp and that is why I put in the acl with 'gt 1024' for only one ftp server.

If you make active ftp then just one as I initially mentioned would suffice.

Cheers,
Rajesh
0
 

Author Comment

by:CLEARPATH
ID: 19697791
I've trued an active connection without the 'gt 1024' line in the access list and that works.
I''ll do some more testing on an other pc, but it looks good !
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 19700011
Lemme know :-)

Cheers,
Rajesh
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 19700020
So, my suggestion works for you?
0
 

Author Comment

by:CLEARPATH
ID: 19729344
Hi Jesper and Rajesh,

Both answers worked for me, so I've divided the points.

Thanks !
0

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A few months ago I attended the Rocky Mountain IPv6 Summit which was a two-day educational event; it was the 3rd annual conference held here in Denver, Colorado that was held at the Hyatt Regency Denver at the Colorado Convention Center. It was an e…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month15 days, 15 hours left to enroll

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question