Cisco router with FTP server on the inside

Posted on 2008-01-31
Medium Priority
Last Modified: 2012-05-05
What's the best way to configure an internal FTP server behind a Cisco router (850 with DSL connection).

I'm assuming it'll be PASV, so I need a port range (I don't want all ports > 1023).

I assume I have to use PAT, and forward 21/tcp, 20/tcp and the PASV range (say, 5000 - 5100).  How do I PAT that range?

e0 (inside) -
di0 (outside) - single static public IP.
FTP server (inside)

ip nat inside source static tcp 21 interface di0 21
ip nat inside source static tcp 20 interface di0 20
ip nat inside source static tcp [5000 - 5100] interface di0 [5000 - 5100]

Then, of course, I need the acl to permit those ports on the di0 interface (incoming), which is easier with "permit tcp any any range 5000 5100"

i can't find this anywhere!?!?
Question by:snowdog_2112
  • 6
  • 4
  • 3
  • +1

Expert Comment

ID: 20787788
ip nat portmap NAT-I


 appl sip-rtp startport 5000 size 128

 appl sip-rtp startport 5100 size 64

Probably something like that. Create a port map and then assign it to PAT using
ip nat inside source list 1 pool A overload portmap NAT-I


Author Comment

ID: 20787876
Your example seems to refer to rtp, sip, and h.323 rather than FTP.

Do I do the same sort of thing for FTP?

Is there a doc somewhere that details how to configure an internal ftp server behind a cisco?

Expert Comment

ID: 20788052
Yes, you do the same thing for FTP. That's just the example Cisco gives in the command reference. Configuring the FTP server is going to depend on what type of FTP server it is. Is it Linux, Microsoft or third party running on XP or something?
The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.


Author Comment

ID: 20788166
MS 2003 server (IIS6).  I can limit the pasv ports as mentioned, so I didn't think that mattered from the router's perspective.

Why is there no example to configure and FTP server?  I'd think that's more common (at this point) than voip configs.

I'll wait for your response and then give you the points.  (I'll try to test that meantime).


Author Comment

ID: 20788316
I've got no "ip nat portmap" command available in any of the routers I've looked at (850, 2811).

Hate to ask, but can you be a little more specific?  Or point me to the doc where this is detailed?  Better yet, some doc that details how the heck to configure simple ol' FTP behind a Cisco router.


Expert Comment

ID: 20788429
http://www.cisco.com/en/US/products/ps6441/products_configuration_guide_chapter09186a00807d416a.html that's the Cisco doc.
That's an EXCELLENT article on setting up Microsoft FTP servers.
As far as configuring the server to run behind the router, all you have to do is create a Static NAT statement to map the public IP you are going to use to access the FTP server to the private ip of the server. The next step would be to create an access list to specify who can and can't use the server. I re-read your original question and I see you were just wanting to know how to basically set it up? Is this correct?

Author Comment

ID: 20788591
I may not have been clear in my original post, but I am looking for help on the router config, not the server.  

The problem seems to be that PORT mode is easier (and preferable) and the server end (just need 20/21), but problematic on the client end.  And PASV is easier on the client end but opens up problems (i.e., port > 1023) on the server end.  I am on the server end.  I have FTP running on the inside, and can access it from the inside, but not from the outside.  I can get logged on, but not xfer or DIR.  I assume because in PORT mode, I am behind NAT on the outside client, and PASV requires open ports > 1023 (I have reconfigured this to ports 5000 - 5100 on my server).

So...getting back to the original post.  I have a single public IP and I am NAT'ing inside clients on that.  I need to PAT ports 20, 21, and 5000 - 5100 from the public IP to the internal IP of the FTP server, something like

ip nat inside source static tcp [5000 - 5100] int dialer0 [5000 - 5100]

The above command is not syntactically correct, so I need the proper method to accomplish the equivalent of the above statement.


Expert Comment

ID: 20788653
In case you are looking for the syntax.


ip nat inside source {list {access-list-number |name} {pool name | interface dialer-name} [overload] | static local-ip global-ip}

no ip nat inside source {list {access-list-number | name}{pool name | interface dialer-name} [overload] | static local-ip global-ip}

Syntax Description:

list access-list-number
 Standard IP access list number. Packets with source addresses that pass the access list are dynamically translated using global addresses from the named pool.
list name
 Name of a standard IP access list. Packets with source addresses that pass the access list are dynamically translated using global addresses from the named pool.
pool name
 Name of the pool from which global IP addresses are allocated dynamically.
interface dialer-name
 Name of the dialer interface on which the PPP/IPCP address negotiation takes place.
 (Optional) Enables the router to use one global address for many local addresses. When overloading is configured, each inside host's TCP or UDP port number distinguishes between the multiple conversations using the same local IP address.
static local-ip
 Sets up a single static translation. This argument establishes the local IP address assigned to a host on the inside network. The address could be randomly chosen, allocated from RFC 1918, or obsolete.
 Sets up a single static translation. This argument establishes the globally unique IP address of an inside host as it appears to the outside world.

Expert Comment

ID: 20788938

 try this.

r(conf)# inter e0
r(config-if)# ip nat inside
r(conf)#interface Dialer 0
r(conf-if)#  ip nat outside

r(conf)# ip nat service list 10 ftp tcp port 21 ("your ftp port")
r(conf)#ip nat inside source static <your public ip>

!--- Static NAT translation for inside local address
!--- to inside global address <your public ip>

r(conf)# access-list 10 permit

r#sh ip nat translation


Author Comment

ID: 20789238
Won't that solution PAT all ports to my server?  Do I restrict to my range using the ACL then?

Does anyone have an actual working config with a Windows 2003 server running IIS6 and FTP service on the inside for PASSIVE ftp access from the outside?

I can't imagine I'm the only person to need an FTP server behind a Cisco router....

I'd rather not port forward the whole public IP, but if that's the solution, I have no choice.

Expert Comment

ID: 20795153
Have you tried my solution ? Why do you say it's not working? That will permit you to access port 21 on your machine from outside.

Author Comment

ID: 20798715
Your solution doesn't completely address the question, though I suspect that it is the answer (I'm surprised there is no definite answer on this).

I ended up port forwarding the entire public ip address ("ip nat inside source static 66.x.y.z") and access-list restricting all but the ports I need for passive FTP.

access-list 100 permit tcp any any eq 20
permit tcp any any eq 21
permit tcp any any range 5000 5100

Of course, by port forwarding the entire IP instead of individual protocol/port, I can no longer SSH to the router because it gets port-forwarded to the server.

So, I have a solution, it works, but is ugly as hell.  There should be at least one official doc out there "How to configure an FTP server behind a Cisco router".

Accepted Solution

neos2k1 earned 2000 total points
ID: 20800841

Expert Comment

ID: 20859791
Force accepted.
EE Admin

Featured Post

Firewall Management 201 with Professor Wool

In this whiteboard video, Professor Wool highlights the challenges, benefits and trade-offs of utilizing zero-touch automation for security policy change management. Watch and Learn!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

We've been using the Cisco/Linksys RV042 for years as: - an internet Gateway - a site-to-site VPN device - a leased line site-to-site subnet-to-subnet interface (And, here I'm assuming that any RV0xx behaves the same way as an RV042.  So that's …
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…

601 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question