ftp connection problem with cisco router
Hello,
I have the following problem with a cisco router and a ftp site.
I am able to connect to the ftp site (ftp using the command line) through the internet, ip address 126.126.126.1 (internal 192.192.100.11) in the following configuration, and I can do a ls and I can retrieve files from the ftp site. So all looks good.
But when I open a ftp session from a vb.net program, using ecf32 from marshalsoft, I can not retrieve files from the site. I can logon, but when I try to retrieve data from the
server I get a timeout. When I delete the 'ip access-group 111 in' from the dialer1 all works well. So the problem lies in access-list 111, but I can't find it.
Maybe someone can help me ?
Here's the configuration :
User Access Verification
Password:
routeradsl>en
Password:
routeradsl#wr t
Building configuration...
Current configuration : 7150 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname routeradsl
!
logging buffered 50000 debugging
enable secret abcd123
enable password abcd123
!
username username password password
memory-size iomem 25
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
!
!
no ip domain-lookup
ip domain-name router.nl
ip name-server 123.118.1.11
!
ip inspect audit-trail
ip inspect max-incomplete high 1100
ip inspect one-minute high 1100
ip inspect name binnen udp
ip inspect name binnen cuseeme
ip inspect name binnen h323
ip inspect name binnen rcmd
ip inspect name binnen realaudio
ip inspect name binnen streamworks
ip inspect name binnen vdolive
ip inspect name binnen sqlnet
ip inspect name binnen tftp
ip inspect name binnen netshow
ip inspect name binnen fragment maximum 256 timeout 1
ip inspect name binnen http
ip audit notify log
ip audit po max-events 100
ip cef
ip ssh time-out 60
vpdn enable
!
vpdn-group 1
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
!
vpdn-group pppoe
!
!
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key router&$usa address 123.123.123.1
crypto isakmp key router&$nie address 124.124.124.1
crypto isakmp key router&$DE address 125.125.125.1
!
!
crypto ipsec transform-set usa esp-des esp-md5-hmac
crypto ipsec transform-set nieuwegein esp-des esp-md5-hmac
crypto ipsec transform-set routerde esp-des esp-md5-hmac
!
crypto map cisco local-address Dialer1
crypto map cisco 10 ipsec-isakmp
set peer 123.123.123.1
set transform-set usa
match address 121
crypto map cisco 20 ipsec-isakmp
set peer 124.124.124.1
set transform-set nieuwegein
match address 122
crypto map cisco 30 ipsec-isakmp
set peer 125.125.125.1
set transform-set routerde
match address 123
!
!
!
!
interface ATM0/0
no ip address
no ip mroute-cache
no atm ilmi-keepalive
pvc 0 1/20
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
no fair-queue
crypto map cisco
hold-queue 224 in
!
interface FastEthernet0/0
ip address 192.192.100.253 255.255.255.0
ip access-group 120 in
ip accounting access-violations
ip nat inside
ip tcp adjust-mss 1452
no ip mroute-cache
no keepalive
speed auto
half-duplex
no cdp enable
!
interface Virtual-Template1
ip unnumbered FastEthernet0/0
no keepalive
peer default ip address pool vpdnpool
ppp encrypt mppe auto
ppp authentication ms-chap pap chap
crypto map cisco
!
interface Dialer1
ip address negotiated
no ip unreachables
ip access-group 111 in
ip accounting access-violations
ip mtu 1492
ip nat outside
encapsulation ppp
no ip mroute-cache
dialer pool 1
dialer-group 1
ppp authentication pap chap callin
ppp chap hostname routeradsl
ppp chap password hello
ppp pap sent-username routeradsl password hello
ppp ipcp dns accept
crypto map cisco
!
ip local pool vpdnpool 172.16.102.1 172.16.102.254
ip nat inside source route-map nonat interface Dialer1 overload
ip nat inside source static tcp 192.192.100.130 443 126.126.126.1 443 extendable
ip nat inside source static tcp 192.192.100.11 21 126.126.126.1 21 extendable
ip nat inside source static tcp 192.192.100.11 20 126.126.126.1 20 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
no ip http server
ip pim bidir-enable
!
!
access-list 2 permit 192.192.100.0 0.0.0.255
access-list 23 permit 192.192.100.0 0.0.0.255
access-list 23 permit 192.192.110.0 0.0.0.255
access-list 23 permit 172.16.102.0 0.0.0.255
access-list 101 permit ip host 192.192.100.130 any
access-list 101 permit udp any eq isakmp host 126.126.126.1 eq isakmp
access-list 101 permit esp any host 126.126.126.1
access-list 101 permit ahp any host 126.126.126.1
access-list 101 permit gre any host 126.126.126.1
access-list 101 permit tcp any host 126.126.126.1 eq 1723
access-list 101 permit ip host 125.125.125.1 any
access-list 101 permit tcp any any eq telnet
access-list 103 deny ip 192.192.100.0 0.0.0.255 192.192.100.0 0.0.0.255
access-list 103 deny ip 192.192.100.0 0.0.0.255 192.192.90.0 0.0.0.255
access-list 103 deny ip 192.192.100.0 0.0.0.255 192.192.110.0 0.0.0.255
access-list 103 permit ip 192.192.100.0 0.0.0.255 any
access-list 110 permit ip 192.192.100.0 0.0.0.255 any
access-list 110 deny ip 192.192.100.0 0.0.0.255 192.192.100.0 0.0.0.255
access-list 110 deny ip 192.192.100.0 0.0.0.255 192.192.90.0 0.0.0.255
access-list 110 deny ip 192.192.100.0 0.0.0.255 192.192.110.0 0.0.0.255
access-list 111 permit ip host 125.125.125.1 any
access-list 111 permit ip host 124.124.124.1 any
access-list 111 permit ip 192.192.110.0 0.0.0.255 any
access-list 111 permit ip 10.0.10.0 0.0.0.255 192.192.100.0 0.0.0.255
access-list 111 permit ip 10.11.1.0 0.0.0.255 192.192.100.0 0.0.0.255
access-list 111 permit ip 192.192.110.0 0.0.0.255 192.192.100.0 0.0.0.255
access-list 111 permit ip 192.192.90.0 0.0.0.255 192.192.100.0 0.0.0.255
access-list 111 permit tcp any any range ftp-data ftp
access-list 111 permit tcp any any eq telnet
access-list 111 permit icmp any any administratively-prohibite
access-list 111 permit icmp any any echo
access-list 111 permit icmp any any echo-reply
access-list 111 permit icmp any any packet-too-big
access-list 111 permit icmp any any time-exceeded
access-list 111 permit icmp any any traceroute
access-list 111 permit icmp any any unreachable
access-list 111 permit udp any eq bootps any eq bootpc
access-list 111 permit udp any eq bootps any eq bootps
access-list 111 permit udp any eq domain any
access-list 111 permit esp any any
access-list 111 permit udp any any eq isakmp
access-list 111 permit udp any any eq 10000
access-list 111 permit tcp any any eq 1723
access-list 111 permit tcp any any eq 139
access-list 111 permit udp any any eq netbios-ns
access-list 111 permit gre any any
access-list 111 permit udp any any eq netbios-dgm
access-list 111 deny ip any any log
access-list 120 permit ip 192.192.100.0 0.0.0.255 any
access-list 120 deny ip any any log
access-list 121 permit ip 192.192.100.0 0.0.0.255 192.192.100.0 0.0.0.255
access-list 122 permit ip 192.192.100.0 0.0.0.255 192.192.90.0 0.0.0.255
access-list 123 permit ip 192.192.100.0 0.0.0.255 192.192.110.0 0.0.0.255
dialer-list 1 protocol ip permit
!
route-map nonat permit 10
match ip address 103
!
!
line con 0
line aux 0
line vty 0 4
access-class 23 in
password hello
login
transport input telnet
!
end
I have the following problem with a cisco router and a ftp site.
I am able to connect to the ftp site (ftp using the command line) through the internet, ip address 126.126.126.1 (internal 192.192.100.11) in the following configuration, and I can do a ls and I can retrieve files from the ftp site. So all looks good.
But when I open a ftp session from a vb.net program, using ecf32 from marshalsoft, I can not retrieve files from the site. I can logon, but when I try to retrieve data from the
server I get a timeout. When I delete the 'ip access-group 111 in' from the dialer1 all works well. So the problem lies in access-list 111, but I can't find it.
Maybe someone can help me ?
Here's the configuration :
User Access Verification
Password:
routeradsl>en
Password:
routeradsl#wr t
Building configuration...
Current configuration : 7150 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname routeradsl
!
logging buffered 50000 debugging
enable secret abcd123
enable password abcd123
!
username username password password
memory-size iomem 25
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
!
!
no ip domain-lookup
ip domain-name router.nl
ip name-server 123.118.1.11
!
ip inspect audit-trail
ip inspect max-incomplete high 1100
ip inspect one-minute high 1100
ip inspect name binnen udp
ip inspect name binnen cuseeme
ip inspect name binnen h323
ip inspect name binnen rcmd
ip inspect name binnen realaudio
ip inspect name binnen streamworks
ip inspect name binnen vdolive
ip inspect name binnen sqlnet
ip inspect name binnen tftp
ip inspect name binnen netshow
ip inspect name binnen fragment maximum 256 timeout 1
ip inspect name binnen http
ip audit notify log
ip audit po max-events 100
ip cef
ip ssh time-out 60
vpdn enable
!
vpdn-group 1
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
!
vpdn-group pppoe
!
!
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key router&$usa address 123.123.123.1
crypto isakmp key router&$nie address 124.124.124.1
crypto isakmp key router&$DE address 125.125.125.1
!
!
crypto ipsec transform-set usa esp-des esp-md5-hmac
crypto ipsec transform-set nieuwegein esp-des esp-md5-hmac
crypto ipsec transform-set routerde esp-des esp-md5-hmac
!
crypto map cisco local-address Dialer1
crypto map cisco 10 ipsec-isakmp
set peer 123.123.123.1
set transform-set usa
match address 121
crypto map cisco 20 ipsec-isakmp
set peer 124.124.124.1
set transform-set nieuwegein
match address 122
crypto map cisco 30 ipsec-isakmp
set peer 125.125.125.1
set transform-set routerde
match address 123
!
!
!
!
interface ATM0/0
no ip address
no ip mroute-cache
no atm ilmi-keepalive
pvc 0 1/20
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
no fair-queue
crypto map cisco
hold-queue 224 in
!
interface FastEthernet0/0
ip address 192.192.100.253 255.255.255.0
ip access-group 120 in
ip accounting access-violations
ip nat inside
ip tcp adjust-mss 1452
no ip mroute-cache
no keepalive
speed auto
half-duplex
no cdp enable
!
interface Virtual-Template1
ip unnumbered FastEthernet0/0
no keepalive
peer default ip address pool vpdnpool
ppp encrypt mppe auto
ppp authentication ms-chap pap chap
crypto map cisco
!
interface Dialer1
ip address negotiated
no ip unreachables
ip access-group 111 in
ip accounting access-violations
ip mtu 1492
ip nat outside
encapsulation ppp
no ip mroute-cache
dialer pool 1
dialer-group 1
ppp authentication pap chap callin
ppp chap hostname routeradsl
ppp chap password hello
ppp pap sent-username routeradsl password hello
ppp ipcp dns accept
crypto map cisco
!
ip local pool vpdnpool 172.16.102.1 172.16.102.254
ip nat inside source route-map nonat interface Dialer1 overload
ip nat inside source static tcp 192.192.100.130 443 126.126.126.1 443 extendable
ip nat inside source static tcp 192.192.100.11 21 126.126.126.1 21 extendable
ip nat inside source static tcp 192.192.100.11 20 126.126.126.1 20 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
no ip http server
ip pim bidir-enable
!
!
access-list 2 permit 192.192.100.0 0.0.0.255
access-list 23 permit 192.192.100.0 0.0.0.255
access-list 23 permit 192.192.110.0 0.0.0.255
access-list 23 permit 172.16.102.0 0.0.0.255
access-list 101 permit ip host 192.192.100.130 any
access-list 101 permit udp any eq isakmp host 126.126.126.1 eq isakmp
access-list 101 permit esp any host 126.126.126.1
access-list 101 permit ahp any host 126.126.126.1
access-list 101 permit gre any host 126.126.126.1
access-list 101 permit tcp any host 126.126.126.1 eq 1723
access-list 101 permit ip host 125.125.125.1 any
access-list 101 permit tcp any any eq telnet
access-list 103 deny ip 192.192.100.0 0.0.0.255 192.192.100.0 0.0.0.255
access-list 103 deny ip 192.192.100.0 0.0.0.255 192.192.90.0 0.0.0.255
access-list 103 deny ip 192.192.100.0 0.0.0.255 192.192.110.0 0.0.0.255
access-list 103 permit ip 192.192.100.0 0.0.0.255 any
access-list 110 permit ip 192.192.100.0 0.0.0.255 any
access-list 110 deny ip 192.192.100.0 0.0.0.255 192.192.100.0 0.0.0.255
access-list 110 deny ip 192.192.100.0 0.0.0.255 192.192.90.0 0.0.0.255
access-list 110 deny ip 192.192.100.0 0.0.0.255 192.192.110.0 0.0.0.255
access-list 111 permit ip host 125.125.125.1 any
access-list 111 permit ip host 124.124.124.1 any
access-list 111 permit ip 192.192.110.0 0.0.0.255 any
access-list 111 permit ip 10.0.10.0 0.0.0.255 192.192.100.0 0.0.0.255
access-list 111 permit ip 10.11.1.0 0.0.0.255 192.192.100.0 0.0.0.255
access-list 111 permit ip 192.192.110.0 0.0.0.255 192.192.100.0 0.0.0.255
access-list 111 permit ip 192.192.90.0 0.0.0.255 192.192.100.0 0.0.0.255
access-list 111 permit tcp any any range ftp-data ftp
access-list 111 permit tcp any any eq telnet
access-list 111 permit icmp any any administratively-prohibite
access-list 111 permit icmp any any echo
access-list 111 permit icmp any any echo-reply
access-list 111 permit icmp any any packet-too-big
access-list 111 permit icmp any any time-exceeded
access-list 111 permit icmp any any traceroute
access-list 111 permit icmp any any unreachable
access-list 111 permit udp any eq bootps any eq bootpc
access-list 111 permit udp any eq bootps any eq bootps
access-list 111 permit udp any eq domain any
access-list 111 permit esp any any
access-list 111 permit udp any any eq isakmp
access-list 111 permit udp any any eq 10000
access-list 111 permit tcp any any eq 1723
access-list 111 permit tcp any any eq 139
access-list 111 permit udp any any eq netbios-ns
access-list 111 permit gre any any
access-list 111 permit udp any any eq netbios-dgm
access-list 111 deny ip any any log
access-list 120 permit ip 192.192.100.0 0.0.0.255 any
access-list 120 deny ip any any log
access-list 121 permit ip 192.192.100.0 0.0.0.255 192.192.100.0 0.0.0.255
access-list 122 permit ip 192.192.100.0 0.0.0.255 192.192.90.0 0.0.0.255
access-list 123 permit ip 192.192.100.0 0.0.0.255 192.192.110.0 0.0.0.255
dialer-list 1 protocol ip permit
!
route-map nonat permit 10
match ip address 103
!
!
line con 0
line aux 0
line vty 0 4
access-class 23 in
password hello
login
transport input telnet
!
end
Jan Bacher
Are you using a passive or active connection in your ftp client?
>>access-list 111 permit tcp any any range ftp-data ftp
Can you tryremoving the line above and instead use the one below ?
access-list 111 permit tcp any any eq ftp
Cheers,
Rajesh
Can you tryremoving the line above and instead use the one below ?
access-list 111 permit tcp any any eq ftp
Cheers,
Rajesh
Actually he'll need both if he's doing active ftp.
If he can connect, he's hitting port 21. If he can list the directory contents he's either initiating the data channel or the data channel initiated by the server is passing through the firewall.
I believe that the firewall should log any denies, can you do a "show log | i ftp.server.ip.addr" (no quotes)?
If he can connect, he's hitting port 21. If he can list the directory contents he's either initiating the data channel or the data channel initiated by the server is passing through the firewall.
I believe that the firewall should log any denies, can you do a "show log | i ftp.server.ip.addr" (no quotes)?
ASKER
Sorry for the delay, I was out of town for my work.
This is a sh log for my own ip adres <my ip>. It is a passive connection. I get a greeting message from the server, but when the ftp program tries to copy a file I get a timeout error.
routeradsl#sh log | include <my ip>
6d22h: %SEC-6-IPACCESSLOGP: list 111 denied tcp <my ip>(1222) -> 126.126.126.1(60937), 1 packet
6d22h: %SEC-6-IPACCESSLOGP: list 111 denied tcp <my ip>(1223) -> 126.126.126.1(60944), 1 packet
6d22h: %SEC-6-IPACCESSLOGP: list 111 denied tcp <my ip>(1223) -> 126.126.126.1(60944), 2 packets
6d22h: %SEC-6-IPACCESSLOGP: list 111 denied tcp <my ip>(1222) -> 126.126.126.1(60937), 2 packets
6d22h: %SEC-6-IPACCESSLOGP: list 111 denied tcp <my ip>(1239) -> 126.126.126.1(61045), 1 packet
6d22h: %SEC-6-IPACCESSLOGP: list 111 denied tcp <my ip>(1254) -> 126.126.126.1(61068), 1 packet
6d22h: %SEC-6-IPACCESSLOGP: list 111 denied tcp <my ip>(1255) -> 126.126.126.1(61069), 1 packet
6d23h: %SEC-6-IPACCESSLOGP: list 111 denied tcp <my ip>(1239) -> 126.126.126.1(61045), 2 packets
routeradsl#
Could it be a nat/pat problem ? I shoul expect to see something on port 20/21 on 126.126.126.1 instead of those high numbers.
This is a sh log for my own ip adres <my ip>. It is a passive connection. I get a greeting message from the server, but when the ftp program tries to copy a file I get a timeout error.
routeradsl#sh log | include <my ip>
6d22h: %SEC-6-IPACCESSLOGP: list 111 denied tcp <my ip>(1222) -> 126.126.126.1(60937), 1 packet
6d22h: %SEC-6-IPACCESSLOGP: list 111 denied tcp <my ip>(1223) -> 126.126.126.1(60944), 1 packet
6d22h: %SEC-6-IPACCESSLOGP: list 111 denied tcp <my ip>(1223) -> 126.126.126.1(60944), 2 packets
6d22h: %SEC-6-IPACCESSLOGP: list 111 denied tcp <my ip>(1222) -> 126.126.126.1(60937), 2 packets
6d22h: %SEC-6-IPACCESSLOGP: list 111 denied tcp <my ip>(1239) -> 126.126.126.1(61045), 1 packet
6d22h: %SEC-6-IPACCESSLOGP: list 111 denied tcp <my ip>(1254) -> 126.126.126.1(61068), 1 packet
6d22h: %SEC-6-IPACCESSLOGP: list 111 denied tcp <my ip>(1255) -> 126.126.126.1(61069), 1 packet
6d23h: %SEC-6-IPACCESSLOGP: list 111 denied tcp <my ip>(1239) -> 126.126.126.1(61045), 2 packets
routeradsl#
Could it be a nat/pat problem ? I shoul expect to see something on port 20/21 on 126.126.126.1 instead of those high numbers.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
This access-list is incoming on the dialer interface. If he needs to test for the ftp server IP, it has to come first.
If you fix rsivanandan's access-list to allow 1025-65536 range from the ftp server to any port, you set yourself up with allowing low port access which is not something that I would recommend.
If you fix rsivanandan's access-list to allow 1025-65536 range from the ftp server to any port, you set yourself up with allowing low port access which is not something that I would recommend.
ASKER
I've tried 'access-list 111 permit tcp any <your_net> <your_mask> established'
but then I need to know the ip address of everyone who wants to make a connection, and that is not an option.
When I put 'access-list 111 permit tcp any 126.126.126.1 gt 1024' it works, but we like to close as many ports as possible.
So I am going to try to open an active connection, but that wil be Monday before I can test that.
( The weekend has already started here ! )
So far thank you both for your help, I'll get back to you on Monday.
but then I need to know the ip address of everyone who wants to make a connection, and that is not an option.
When I put 'access-list 111 permit tcp any 126.126.126.1 gt 1024' it works, but we like to close as many ports as possible.
So I am going to try to open an active connection, but that wil be Monday before I can test that.
( The weekend has already started here ! )
So far thank you both for your help, I'll get back to you on Monday.
Yes that is the tradeoff you need to do with passive ftp and that is why I put in the acl with 'gt 1024' for only one ftp server.
If you make active ftp then just one as I initially mentioned would suffice.
Cheers,
Rajesh
If you make active ftp then just one as I initially mentioned would suffice.
Cheers,
Rajesh
ASKER
I've trued an active connection without the 'gt 1024' line in the access list and that works.
I''ll do some more testing on an other pc, but it looks good !
I''ll do some more testing on an other pc, but it looks good !
Lemme know :-)
Cheers,
Rajesh
Cheers,
Rajesh
So, my suggestion works for you?
ASKER
Hi Jesper and Rajesh,
Both answers worked for me, so I've divided the points.
Thanks !
Both answers worked for me, so I've divided the points.
Thanks !