• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 625
  • Last Modified:

***HELP! Cisco 1841 and Access-Lists to allow FTP (PASV)

First off thanks for looking at my issue!  I am trying to setup a FTP site (RaidenFTPD) on my Web server for our customers and I am having a little trouble getting it to work from the outside (inside works great!).  I think that I have configured the Access lists correctly, but obviously I haven't.  Take a look at the config and let me know if I have the FTP and FTP-DATA configured correctly please.  Also, I haven't been able to find anything out about ftp PASV on the 1841's and it is needed.
 
Building configuration...

Current configuration : 14877 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname rtr-Prism
!
boot-start-marker
boot system flash:c1841-advsecurityk9-mz.124-12.bin
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 $1$7U4k$ezmUj9Gl4aPBpT90X9mA60
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login userauthen local
aaa authentication login vpnclient group radius local
aaa authorization network groupauthor local
!
aaa session-id common
ip cef
!
!
ip inspect name firewall tcp
ip inspect name firewall udp
ip inspect name firewall ftp
ip inspect name firewall icmp
ip inspect name firewall snmp
ip inspect name firewall ipsec-msft
ip inspect name firewall tftp
ip inspect name sdm_ins_in_100 tcp
ip inspect name sdm_ins_in_100 udp
ip inspect name sdm_ins_in_100 ftp audit-trail on
ip inspect name sdm_ins_in_100 icmp
ip inspect name sdm_ins_in_100 snmp
ip inspect name sdm_ins_in_100 ipsec-msft
ip inspect name sdm_ins_in_100 tftp
!
!
ip ips notify SDEE
no ip bootp server
no ip domain lookup
ip domain name prismclosings.com
ip name-server 216.68.1.100
ip name-server 216.68.2.100
!
!
crypto pki trustpoint TP-self-signed-2881620887
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-2881620887
 revocation-check none
 rsakeypair TP-self-signed-2881620887
!
!
crypto pki certificate chain TP-self-signed-2881620887
 certificate self-signed 01
  30820253 308201BC A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 32383831 36323038 3837301E 170D3036 30363237 31343036
  34305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 38383136
  32303838 3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100B663 C80728C6 62ABD2A0 600FF9AB A39A3421 01F0C49E 149A8612 A786A2E7
  FFE67D1E 2F448C35 83348D0C 8BEC6526 168A68C7 950F143F 221941D9 E95D5692
  1DA8C18A BA672267 3F0E0829 89645F5E AC043AF2 EF63A853 436AA7D6 5F336BA9
  6B846407 E521984E EAC1C367 9E5AC022 39944041 EF04BD88 038A74D3 4563A23D
  AFAD0203 010001A3 7B307930 0F060355 1D130101 FF040530 030101FF 30260603
  551D1104 1F301D82 1B727472 2D507269 736D2E70 7269736D 636C6F73 696E6773
  2E636F6D 301F0603 551D2304 18301680 14867D7C 394D4BB8 C770E4BE 3A92FD69
  8455E807 56301D06 03551D0E 04160414 867D7C39 4D4BB8C7 70E4BE3A 92FD6984
  55E80756 300D0609 2A864886 F70D0101 04050003 8181003A 1E93943C E07BC3EC
  E330CAED AD5FB5A0 3289F157 22BA68EB ACC0C3B6 50ABA79F 90F94B8D 1B11DA80
  2E01CACB 3C5A0B57 A6C5D4F0 480475CB 7228A6CF AE3CB6F0 AD3ABFD8 9109DC5F
  D7523262 9444583D 6D5A4C84 5F6C8087 2D15FD34 A143F8EB 0E6C561F 810127A3
  68C7E4CD E80BB7D7 1CC94450 C56F2F92 3551E114 A4B892
  quit
username [username] privilege 15 password [password]
username [username] privilege 15 password [password]
username [username] privilege 15 secret 5 [password]
username [username] password 7 [password]
username [username] password 7 [password]
!
!
track 1 interface Serial0/0/0 line-protocol
!
track 123 rtr 1 reachability
!
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp client configuration group CLIENT
 key Pr1sm
 dns 10.244.x.xx
 domain [mydomain].com.local
 pool REMOTEPOOL
 acl 199
 split-dns [mydomain].com.local
 netmask 255.255.255.0
!
crypto isakmp client configuration group SOHO
 key Pr1smS0H0
 dns 10.244.x.xx
 wins 10.244.x.xx
 domain [mydomain].com.local
 pool SOHOPool
 acl 190
 save-password
 include-local-lan
crypto isakmp profile SOHOProfile
   match identity group SOHO
   client authentication list userauthen
   isakmp authorization list groupauthor
   client configuration address respond
crypto isakmp profile vpnclient
   match identity group CLIENT
   client authentication list vpnclient
   isakmp authorization list groupauthor
   client configuration address initiate
   client configuration address respond
!
!
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
!
crypto dynamic-map DYNMAP 10
 set transform-set ESP-3DES-MD5
 set isakmp-profile vpnclient
crypto dynamic-map DYNMAP 20
 set transform-set ESP-3DES-MD5
 set isakmp-profile SOHOProfile
 match address 191
 reverse-route
!
!
crypto map INTMAP 10 ipsec-isakmp dynamic DYNMAP
!
!
!
interface FastEthernet0/0
 description <<LAN VLAN 1-3>>
 ip address 10.244.x.xx 255.255.255.0
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet0/1
 no ip address
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface Serial0/0/0
 description <<Internet T1 - HCGS 476452..CB>>
 ip address 66.1xx.xxx.xxx 255.255.255.252
 ip access-group 150 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip inspect sdm_ins_in_100 in
 ip inspect firewall out
 ip nat outside
 ip virtual-reassembly
 no ip mroute-cache
 ntp disable
 no cdp enable
 crypto map INTMAP
!
ip local pool REMOTEPOOL 10.244.x.xxxx 10.244.x.xx
ip local pool SOHOPool 192.168.10.1 192.168.10.100
ip route 0.0.0.0 0.0.0.0 66.1xx.xxx.xxx track 123
ip route 10.244.x.xxx0 255.255.255.0 10.244.x.xxx1
ip route 10.244.x.xxx0 255.255.255.0 10.244.x.xxx1
ip route 10.244.x.xxx0 255.255.255.0 10.244.x.xxx1
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
ip nat inside source route-map NONAT interface Serial0/0/0 overload
ip nat inside source static tcp 10.244.x.xxx30 21 66.1xx.xxx.xxx 21 extendable
ip nat inside source static tcp 10.244.x.xxx100 22 66.1xx.xxx.xxx 22 route-map SDM_RMAP_1 extendable
ip nat inside source static tcp 10.244.x.xxx50 25 66.1xx.xxx.xxx 25 route-map SDM_RMAP_4 extendable
ip nat inside source static tcp 10.244.x.xxx30 80 66.1xx.xxx.xxx 80 route-map SDM_RMAP_3 extendable
ip nat inside source static tcp 10.244.x.xxx100 80 66.1xx.xxx.xxx 81 route-map SDM_RMAP_3 extendable
ip nat inside source static tcp 10.244.x.xxx45 443 66.1xx.xxx.xxx 443 route-map SDM_RMAP_4 extendable
ip nat inside source static tcp 10.244.x.xxx100 80 66.1xx.xxx.xxx 8088 route-map SDM_RMAP_1 extendable
ip nat inside source static tcp 10.244.x.xxx100 10000 66.1xx.xxx.xxx 10000 route-map SDM_RMAP_2 extendable
!
ip radius source-interface FastEthernet0/0
logging 10.244.x.xxx100
access-list 10 permit 65.90.80.0 0.0.0.255 log
access-list 10 permit 10.244.0.0 0.0.255.255
access-list 10 permit 65.85.80.0 0.0.0.255
access-list 10 permit 65.85.85.0 0.0.0.255
access-list 10 permit 69.133.0.0 0.0.255.255
access-list 10 permit 216.196.0.0 0.0.255.255
access-list 100 remark SDM_ACL Category=2
access-list 100 permit ip host 10.244.x.xxx100 10.244.x.xxx0 0.0.0.255 log
access-list 100 deny   ip 10.244.x.xxx0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 100 deny   ip 10.244.x.xxx0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 100 deny   ip 10.244.x.xxx0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 100 deny   ip 10.244.x.xxx0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 100 permit ip host 10.244.x.xxx100 any
access-list 101 remark NONAT
access-list 101 remark SDM_ACL Category=18
access-list 101 deny   ip host 10.244.x.xxx45 any
access-list 101 deny   ip host 10.244.x.xxx100 any
access-list 101 deny   ip 10.244.x.xxx0 0.0.0.127 10.244.x.xxx0 0.0.0.255
access-list 101 deny   ip 10.244.x.xxx0 0.0.0.127 10.244.x.xxx0 0.0.0.255
access-list 101 deny   ip 10.244.x.xxx0 0.0.0.127 10.244.x.xxx0 0.0.0.255
access-list 101 deny   ip 10.244.x.xxx0 0.0.0.255 10.244.x.xxx0 0.0.0.255
access-list 101 deny   ip 10.244.x.xxx0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 101 deny   ip 10.244.x.xxx0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 101 deny   ip 10.244.x.xxx0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 101 deny   ip 10.244.x.xxx0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 101 permit ip 10.244.0.0 0.0.255.255 any
access-list 102 remark SDM_ACL Category=2
access-list 102 deny   ip host 10.244.x.xxx100 10.244.x.xxx0 0.0.0.255
access-list 102 deny   ip 10.244.x.xxx0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 102 deny   ip 10.244.x.xxx0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 102 deny   ip 10.244.x.xxx0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 102 deny   ip 10.244.x.xxx0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 102 permit ip host 10.244.x.xxx100 any
access-list 103 remark SDM_ACL Category=2
access-list 103 deny   ip host 10.244.x.xxx30 10.244.x.xxx0 0.0.0.255
access-list 103 deny   ip host 10.244.x.xxx100 10.244.x.xxx0 0.0.0.255 log
access-list 103 deny   ip 10.244.x.xxx0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 103 deny   ip 10.244.x.xxx0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 103 deny   ip 10.244.x.xxx0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 103 deny   ip 10.244.x.xxx0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 103 permit ip host 10.244.x.xxx30 any
access-list 103 permit ip host 10.244.x.xxx100 any
access-list 104 remark SDM_ACL Category=2
access-list 104 deny   ip host 10.244.x.xxx50 10.244.x.xxx0 0.0.0.255
access-list 104 deny   ip host 10.244.x.xxx45 10.244.x.xxx0 0.0.0.255
access-list 104 deny   ip 10.244.x.xxx0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 104 deny   ip 10.244.x.xxx0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 104 deny   ip 10.244.x.xxx0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 104 deny   ip 10.244.x.xxx0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 104 permit ip host 10.244.x.xxx50 any
access-list 104 permit ip host 10.244.x.xxx45 any
access-list 105 remark SDM_ACL Category=2
access-list 105 deny   ip host 10.244.x.xxx1 10.244.x.xxx0 0.0.0.255
access-list 105 deny   ip 10.244.x.xxx0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 105 deny   ip 10.244.x.xxx0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 105 deny   ip 10.244.x.xxx0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 105 deny   ip 10.244.x.xxx0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 105 permit ip host 10.244.x.xxx1 any
access-list 108 remark SDM_ACL Category=18
access-list 108 permit ip host 10.244.x.xxx100 any
access-list 108 deny   ip 10.244.x.xxx0 0.0.0.255 10.244.x.xxx0 0.0.0.255
access-list 108 deny   ip 10.244.x.xxx0 0.0.0.255 10.244.x.xxx0 0.0.0.255
access-list 108 deny   ip 10.244.x.xxx0 0.0.0.255 10.244.x.xxx0 0.0.0.255
access-list 108 deny   ip 10.244.x.xxx0 0.0.0.255 10.244.x.xxx0 0.0.0.255
access-list 108 deny   ip 10.244.x.xxx0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 108 deny   ip 10.244.x.xxx0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 108 deny   ip 10.244.x.xxx0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 108 deny   ip 10.244.x.xxx0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 108 deny   ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
access-list 108 deny   ip 10.0.0.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 108 permit ip 10.244.0.0 0.0.255.255 any
access-list 108 permit ip 10.0.0.0 0.255.255.255 any
access-list 150 remark SDM_ACL Category=17
access-list 150 permit esp any host 66.1xx.xxx.xxx
access-list 150 remark FTP Access
access-list 150 permit tcp any eq ftp host 10.244.x.xxx30 eq ftp
access-list 150 remark FTP Access - Data
access-list 150 permit tcp any eq ftp-data host 10.244.x.xxx30 eq ftp-data
access-list 150 permit ahp any host 66.1xx.xxx.xxx
access-list 150 permit udp any host 66.1xx.xxx.xxx eq isakmp
access-list 150 permit udp any host 66.1xx.xxx.xxx eq non500-isakmp
access-list 150 permit gre any 10.244.0.0 0.0.255.255
access-list 150 permit ip 10.244.x.xxx0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 150 permit tcp host 24.123.x.xxx host 66.1xx.xxx.xxx eq www
access-list 150 permit tcp any host 66.1xx.xxx.xxx eq www
access-list 150 permit tcp host 24.123.x.xxx host 66.1xx.xxx.xxx eq 81
access-list 150 permit tcp host 24.123.x.xxx host 66.1xx.xxx.xxx eq 22
access-list 150 permit tcp host 24.123.x.xxx host 66.1xx.xxx.xxx eq 10000
access-list 150 permit icmp host 66.1xx.xxx.xxx any
access-list 150 permit tcp any host 66.1xx.xxx.xxx eq smtp
access-list 150 permit tcp any host 66.1xx.xxx.xxx eq 2022
access-list 150 permit tcp 65.80.0.0 0.0.7.255 host 66.1xx.xxx.xxx
access-list 150 permit tcp 216.196.0.0 0.0.255.255 host 66.1xx.xxx.xxx eq telnet
access-list 150 permit tcp 65.80.0.0 0.0.7.255 host 66.1xx.xxx.xxx eq telnet
access-list 150 permit tcp 69.133.0.0 0.0.255.255 host 66.1xx.xxx.xxx
access-list 150 permit tcp any host 66.1xx.xxx.xxx eq 443
access-list 150 permit icmp any any echo-reply
access-list 150 permit icmp host 208.1x.xxx.xxx any
access-list 150 permit icmp 192.168.0.0 0.0.255.255 any
access-list 156 permit ip 10.244.x.xxx0 0.0.0.255 any
access-list 156 permit ip any 10.244.x.xxx0 0.0.0.255
access-list 190 permit ip 10.244.x.xxx0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 190 permit ip 10.244.x.xxx0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 190 permit ip 10.244.x.xxx0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 190 permit ip 10.244.x.xxx0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 191 permit ip 10.244.x.xxx0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 191 permit ip 10.244.x.xxx0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 191 permit ip 10.244.x.xxx0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 191 permit ip 10.244.x.xxx0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 199 remark Split-Tunneling
access-list 199 permit ip 10.244.x.xxx0 0.0.0.255 10.244.x.xxx0 0.0.0.255
access-list 199 permit ip 10.244.x.xxx0 0.0.0.255 10.244.x.xxx0 0.0.0.255
access-list 199 permit ip 10.244.x.xxx0 0.0.0.255 10.244.x.xxx0 0.0.0.255
access-list 199 permit ip 10.244.x.xxx0 0.0.0.255 10.244.x.xxx0 0.0.0.255
snmp-server community [jo-mama] RW
snmp-server location [work]
snmp-server contact [me]
snmp-server host 10.244.x.xxx100 [jo-daddy]
no cdp run
route-map NONAT permit 10
 match ip address 108
!
route-map SDM_RMAP_4 permit 1
 match ip address 104
!
route-map SDM_RMAP_5 permit 1
 match ip address 105
!
route-map SDM_RMAP_1 permit 1
 match ip address 100
!
route-map SDM_RMAP_2 permit 1
 match ip address 102
!
route-map SDM_RMAP_3 permit 1
 match ip address 103
!
!
radius-server host 10.244.x.xxx12 auth-port 1645 acct-port 1646 key [password]
!
control-plane
!
banner login ^CCC
>>>>>>>>>>>>>>>>>>>>>>>>>> Warning Notice <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
>Warning: This system is restricted to xxx authorized users   <
>for business purposes. Unauthorized  access is a violation of the law. <
>This service may be monitored for administrative and security reasons. <
>By proceeding, you consent to this monitoring.                         <
>>>>>>>>>>>>>>>>>>>>>>>>>> Warning Notice <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
^C
!
line con 0
 exec-timeout 15 0
line aux 0
 exec-timeout 15 0
line vty 0 4
 access-class 10 in
 exec-timeout 15 0
 privilege level 15
 password [password]
 transport preferred ssh
 transport input all
line vty 5 15
 access-class 10 in
 exec-timeout 15 0
 privilege level 15
 password [password]
 transport preferred ssh
 transport input all
!
scheduler allocate 20000 1000
end
0
james_mixson
Asked:
james_mixson
1 Solution
 
tvman_odCommented:
You have this

access-list 150 remark FTP Access
access-list 150 permit tcp any eq ftp host 10.244.x.xxx30 eq ftp
access-list 150 remark FTP Access - Data
access-list 150 permit tcp any eq ftp-data host 10.244.x.xxx30 eq ftp-data

But clients don't make connection with source port 21 or 20
It's always higher then 1024 and RANDOM
so you have to remove limitation and put it like this

access-list 150 remark FTP Access
access-list 150 permit tcp any  host 10.244.x.xxx30 eq ftp
access-list 150 remark FTP Access - Data
access-list 150 permit tcp any eq  host 10.244.x.xxx30 eq ftp-data

Besides that, destination address should be public not 10.244....

Check this article which explains the order of operations in IOS

http://articles.techrepublic.com.com/5100-1035_11-6055946.html
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now