snowdog_2112
asked on
Cisco router with FTP server on the inside
What's the best way to configure an internal FTP server behind a Cisco router (850 with DSL connection).
I'm assuming it'll be PASV, so I need a port range (I don't want all ports > 1023).
I assume I have to use PAT, and forward 21/tcp, 20/tcp and the PASV range (say, 5000 - 5100). How do I PAT that range?
e0 (inside) - 192.168.0.1
di0 (outside) - single static public IP.
FTP server (inside) 192.168.0.10
ip nat inside source static tcp 192.168.0.10 21 interface di0 21
ip nat inside source static tcp 192.168.0.10 20 interface di0 20
ip nat inside source static tcp 192.168.0.10 [5000 - 5100] interface di0 [5000 - 5100]
Then, of course, I need the acl to permit those ports on the di0 interface (incoming), which is easier with "permit tcp any any range 5000 5100"
i can't find this anywhere!?!?
I'm assuming it'll be PASV, so I need a port range (I don't want all ports > 1023).
I assume I have to use PAT, and forward 21/tcp, 20/tcp and the PASV range (say, 5000 - 5100). How do I PAT that range?
e0 (inside) - 192.168.0.1
di0 (outside) - single static public IP.
FTP server (inside) 192.168.0.10
ip nat inside source static tcp 192.168.0.10 21 interface di0 21
ip nat inside source static tcp 192.168.0.10 20 interface di0 20
ip nat inside source static tcp 192.168.0.10 [5000 - 5100] interface di0 [5000 - 5100]
Then, of course, I need the acl to permit those ports on the di0 interface (incoming), which is easier with "permit tcp any any range 5000 5100"
i can't find this anywhere!?!?
ASKER
Your example seems to refer to rtp, sip, and h.323 rather than FTP.
Do I do the same sort of thing for FTP?
Is there a doc somewhere that details how to configure an internal ftp server behind a cisco?
Do I do the same sort of thing for FTP?
Is there a doc somewhere that details how to configure an internal ftp server behind a cisco?
Yes, you do the same thing for FTP. That's just the example Cisco gives in the command reference. Configuring the FTP server is going to depend on what type of FTP server it is. Is it Linux, Microsoft or third party running on XP or something?
ASKER
MS 2003 server (IIS6). I can limit the pasv ports as mentioned, so I didn't think that mattered from the router's perspective.
Why is there no example to configure and FTP server? I'd think that's more common (at this point) than voip configs.
I'll wait for your response and then give you the points. (I'll try to test that meantime).
Thanks.
Why is there no example to configure and FTP server? I'd think that's more common (at this point) than voip configs.
I'll wait for your response and then give you the points. (I'll try to test that meantime).
Thanks.
ASKER
I've got no "ip nat portmap" command available in any of the routers I've looked at (850, 2811).
Hate to ask, but can you be a little more specific? Or point me to the doc where this is detailed? Better yet, some doc that details how the heck to configure simple ol' FTP behind a Cisco router.
THanks.
Hate to ask, but can you be a little more specific? Or point me to the doc where this is detailed? Better yet, some doc that details how the heck to configure simple ol' FTP behind a Cisco router.
THanks.
http://www.cisco.com/en/US/products/ps6441/products_configuration_guide_chapter09186a00807d416a.html that's the Cisco doc.
http://www.windowsnetworking.com/articles_tutorials/Creating-Configuring-FTP.html
That's an EXCELLENT article on setting up Microsoft FTP servers.
As far as configuring the server to run behind the router, all you have to do is create a Static NAT statement to map the public IP you are going to use to access the FTP server to the private ip of the server. The next step would be to create an access list to specify who can and can't use the server. I re-read your original question and I see you were just wanting to know how to basically set it up? Is this correct?
http://www.windowsnetworking.com/articles_tutorials/Creating-Configuring-FTP.html
That's an EXCELLENT article on setting up Microsoft FTP servers.
As far as configuring the server to run behind the router, all you have to do is create a Static NAT statement to map the public IP you are going to use to access the FTP server to the private ip of the server. The next step would be to create an access list to specify who can and can't use the server. I re-read your original question and I see you were just wanting to know how to basically set it up? Is this correct?
ASKER
I may not have been clear in my original post, but I am looking for help on the router config, not the server.
The problem seems to be that PORT mode is easier (and preferable) and the server end (just need 20/21), but problematic on the client end. And PASV is easier on the client end but opens up problems (i.e., port > 1023) on the server end. I am on the server end. I have FTP running on the inside, and can access it from the inside, but not from the outside. I can get logged on, but not xfer or DIR. I assume because in PORT mode, I am behind NAT on the outside client, and PASV requires open ports > 1023 (I have reconfigured this to ports 5000 - 5100 on my server).
So...getting back to the original post. I have a single public IP and I am NAT'ing inside clients on that. I need to PAT ports 20, 21, and 5000 - 5100 from the public IP to the internal IP of the FTP server, something like
ip nat inside source static tcp 192.168.0.10 [5000 - 5100] int dialer0 [5000 - 5100]
The above command is not syntactically correct, so I need the proper method to accomplish the equivalent of the above statement.
Thanks!
The problem seems to be that PORT mode is easier (and preferable) and the server end (just need 20/21), but problematic on the client end. And PASV is easier on the client end but opens up problems (i.e., port > 1023) on the server end. I am on the server end. I have FTP running on the inside, and can access it from the inside, but not from the outside. I can get logged on, but not xfer or DIR. I assume because in PORT mode, I am behind NAT on the outside client, and PASV requires open ports > 1023 (I have reconfigured this to ports 5000 - 5100 on my server).
So...getting back to the original post. I have a single public IP and I am NAT'ing inside clients on that. I need to PAT ports 20, 21, and 5000 - 5100 from the public IP to the internal IP of the FTP server, something like
ip nat inside source static tcp 192.168.0.10 [5000 - 5100] int dialer0 [5000 - 5100]
The above command is not syntactically correct, so I need the proper method to accomplish the equivalent of the above statement.
Thanks!
In case you are looking for the syntax.
Syntax:
ip nat inside source {list {access-list-number |name} {pool name | interface dialer-name} [overload] | static local-ip global-ip}
no ip nat inside source {list {access-list-number | name}{pool name | interface dialer-name} [overload] | static local-ip global-ip}
Syntax Description:
list access-list-number
Standard IP access list number. Packets with source addresses that pass the access list are dynamically translated using global addresses from the named pool.
list name
Name of a standard IP access list. Packets with source addresses that pass the access list are dynamically translated using global addresses from the named pool.
pool name
Name of the pool from which global IP addresses are allocated dynamically.
interface dialer-name
Name of the dialer interface on which the PPP/IPCP address negotiation takes place.
overload
(Optional) Enables the router to use one global address for many local addresses. When overloading is configured, each inside host's TCP or UDP port number distinguishes between the multiple conversations using the same local IP address.
static local-ip
Sets up a single static translation. This argument establishes the local IP address assigned to a host on the inside network. The address could be randomly chosen, allocated from RFC 1918, or obsolete.
global-ip
Sets up a single static translation. This argument establishes the globally unique IP address of an inside host as it appears to the outside world.
Syntax:
ip nat inside source {list {access-list-number |name} {pool name | interface dialer-name} [overload] | static local-ip global-ip}
no ip nat inside source {list {access-list-number | name}{pool name | interface dialer-name} [overload] | static local-ip global-ip}
Syntax Description:
list access-list-number
Standard IP access list number. Packets with source addresses that pass the access list are dynamically translated using global addresses from the named pool.
list name
Name of a standard IP access list. Packets with source addresses that pass the access list are dynamically translated using global addresses from the named pool.
pool name
Name of the pool from which global IP addresses are allocated dynamically.
interface dialer-name
Name of the dialer interface on which the PPP/IPCP address negotiation takes place.
overload
(Optional) Enables the router to use one global address for many local addresses. When overloading is configured, each inside host's TCP or UDP port number distinguishes between the multiple conversations using the same local IP address.
static local-ip
Sets up a single static translation. This argument establishes the local IP address assigned to a host on the inside network. The address could be randomly chosen, allocated from RFC 1918, or obsolete.
global-ip
Sets up a single static translation. This argument establishes the globally unique IP address of an inside host as it appears to the outside world.
try this.
r(conf)# inter e0
r(config-if)# ip nat inside
r(conf)#interface Dialer 0
r(conf-if)# ip nat outside
r(conf)# ip nat service list 10 ftp tcp port 21 ("your ftp port")
r(conf)#ip nat inside source static 192.168.0.10 <your public ip>
!--- Static NAT translation for inside local address 192.168.0.10
!--- to inside global address <your public ip>
r(conf)# access-list 10 permit 192.168.0.10
r#sh ip nat translation
ASKER
Won't that solution PAT all ports to my server? Do I restrict to my range using the ACL then?
Does anyone have an actual working config with a Windows 2003 server running IIS6 and FTP service on the inside for PASSIVE ftp access from the outside?
I can't imagine I'm the only person to need an FTP server behind a Cisco router....
I'd rather not port forward the whole public IP, but if that's the solution, I have no choice.
Does anyone have an actual working config with a Windows 2003 server running IIS6 and FTP service on the inside for PASSIVE ftp access from the outside?
I can't imagine I'm the only person to need an FTP server behind a Cisco router....
I'd rather not port forward the whole public IP, but if that's the solution, I have no choice.
Have you tried my solution ? Why do you say it's not working? That will permit you to access port 21 on your machine from outside.
ASKER
Your solution doesn't completely address the question, though I suspect that it is the answer (I'm surprised there is no definite answer on this).
I ended up port forwarding the entire public ip address ("ip nat inside source static 192.168.0.10 66.x.y.z") and access-list restricting all but the ports I need for passive FTP.
access-list 100 permit tcp any any eq 20
permit tcp any any eq 21
permit tcp any any range 5000 5100
Of course, by port forwarding the entire IP instead of individual protocol/port, I can no longer SSH to the router because it gets port-forwarded to the server.
So, I have a solution, it works, but is ugly as hell. There should be at least one official doc out there "How to configure an FTP server behind a Cisco router".
I ended up port forwarding the entire public ip address ("ip nat inside source static 192.168.0.10 66.x.y.z") and access-list restricting all but the ports I need for passive FTP.
access-list 100 permit tcp any any eq 20
permit tcp any any eq 21
permit tcp any any range 5000 5100
Of course, by port forwarding the entire IP instead of individual protocol/port, I can no longer SSH to the router because it gets port-forwarded to the server.
So, I have a solution, it works, but is ugly as hell. There should be at least one official doc out there "How to configure an FTP server behind a Cisco router".
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Force accepted.
Computer101
EE Admin
Computer101
EE Admin
cisco-rtp-h323-low
appl sip-rtp startport 5000 size 128
appl sip-rtp startport 5100 size 64
Probably something like that. Create a port map and then assign it to PAT using
ip nat inside source list 1 pool A overload portmap NAT-I