Cisco router with FTP server on the inside

What's the best way to configure an internal FTP server behind a Cisco router (850 with DSL connection).

I'm assuming it'll be PASV, so I need a port range (I don't want all ports > 1023).

I assume I have to use PAT, and forward 21/tcp, 20/tcp and the PASV range (say, 5000 - 5100).  How do I PAT that range?

e0 (inside) -
di0 (outside) - single static public IP.
FTP server (inside)

ip nat inside source static tcp 21 interface di0 21
ip nat inside source static tcp 20 interface di0 20
ip nat inside source static tcp [5000 - 5100] interface di0 [5000 - 5100]

Then, of course, I need the acl to permit those ports on the di0 interface (incoming), which is easier with "permit tcp any any range 5000 5100"

i can't find this anywhere!?!?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ip nat portmap NAT-I


 appl sip-rtp startport 5000 size 128

 appl sip-rtp startport 5100 size 64

Probably something like that. Create a port map and then assign it to PAT using
ip nat inside source list 1 pool A overload portmap NAT-I

snowdog_2112Author Commented:
Your example seems to refer to rtp, sip, and h.323 rather than FTP.

Do I do the same sort of thing for FTP?

Is there a doc somewhere that details how to configure an internal ftp server behind a cisco?
Yes, you do the same thing for FTP. That's just the example Cisco gives in the command reference. Configuring the FTP server is going to depend on what type of FTP server it is. Is it Linux, Microsoft or third party running on XP or something?
Simple Misconfiguration =Network Vulnerability

In this technical webinar, AlgoSec will present several examples of common misconfigurations; including a basic device change, business application connectivity changes, and data center migrations. Learn best practices to protect your business from attack.

snowdog_2112Author Commented:
MS 2003 server (IIS6).  I can limit the pasv ports as mentioned, so I didn't think that mattered from the router's perspective.

Why is there no example to configure and FTP server?  I'd think that's more common (at this point) than voip configs.

I'll wait for your response and then give you the points.  (I'll try to test that meantime).

snowdog_2112Author Commented:
I've got no "ip nat portmap" command available in any of the routers I've looked at (850, 2811).

Hate to ask, but can you be a little more specific?  Or point me to the doc where this is detailed?  Better yet, some doc that details how the heck to configure simple ol' FTP behind a Cisco router.

cedarghostCommented: that's the Cisco doc.
That's an EXCELLENT article on setting up Microsoft FTP servers.
As far as configuring the server to run behind the router, all you have to do is create a Static NAT statement to map the public IP you are going to use to access the FTP server to the private ip of the server. The next step would be to create an access list to specify who can and can't use the server. I re-read your original question and I see you were just wanting to know how to basically set it up? Is this correct?
snowdog_2112Author Commented:
I may not have been clear in my original post, but I am looking for help on the router config, not the server.  

The problem seems to be that PORT mode is easier (and preferable) and the server end (just need 20/21), but problematic on the client end.  And PASV is easier on the client end but opens up problems (i.e., port > 1023) on the server end.  I am on the server end.  I have FTP running on the inside, and can access it from the inside, but not from the outside.  I can get logged on, but not xfer or DIR.  I assume because in PORT mode, I am behind NAT on the outside client, and PASV requires open ports > 1023 (I have reconfigured this to ports 5000 - 5100 on my server).

So...getting back to the original post.  I have a single public IP and I am NAT'ing inside clients on that.  I need to PAT ports 20, 21, and 5000 - 5100 from the public IP to the internal IP of the FTP server, something like

ip nat inside source static tcp [5000 - 5100] int dialer0 [5000 - 5100]

The above command is not syntactically correct, so I need the proper method to accomplish the equivalent of the above statement.

In case you are looking for the syntax.


ip nat inside source {list {access-list-number |name} {pool name | interface dialer-name} [overload] | static local-ip global-ip}

no ip nat inside source {list {access-list-number | name}{pool name | interface dialer-name} [overload] | static local-ip global-ip}

Syntax Description:

list access-list-number
 Standard IP access list number. Packets with source addresses that pass the access list are dynamically translated using global addresses from the named pool.
list name
 Name of a standard IP access list. Packets with source addresses that pass the access list are dynamically translated using global addresses from the named pool.
pool name
 Name of the pool from which global IP addresses are allocated dynamically.
interface dialer-name
 Name of the dialer interface on which the PPP/IPCP address negotiation takes place.
 (Optional) Enables the router to use one global address for many local addresses. When overloading is configured, each inside host's TCP or UDP port number distinguishes between the multiple conversations using the same local IP address.
static local-ip
 Sets up a single static translation. This argument establishes the local IP address assigned to a host on the inside network. The address could be randomly chosen, allocated from RFC 1918, or obsolete.
 Sets up a single static translation. This argument establishes the globally unique IP address of an inside host as it appears to the outside world.

 try this.

r(conf)# inter e0
r(config-if)# ip nat inside
r(conf)#interface Dialer 0
r(conf-if)#  ip nat outside

r(conf)# ip nat service list 10 ftp tcp port 21 ("your ftp port")
r(conf)#ip nat inside source static <your public ip>

!--- Static NAT translation for inside local address
!--- to inside global address <your public ip>

r(conf)# access-list 10 permit

r#sh ip nat translation

snowdog_2112Author Commented:
Won't that solution PAT all ports to my server?  Do I restrict to my range using the ACL then?

Does anyone have an actual working config with a Windows 2003 server running IIS6 and FTP service on the inside for PASSIVE ftp access from the outside?

I can't imagine I'm the only person to need an FTP server behind a Cisco router....

I'd rather not port forward the whole public IP, but if that's the solution, I have no choice.
Have you tried my solution ? Why do you say it's not working? That will permit you to access port 21 on your machine from outside.
snowdog_2112Author Commented:
Your solution doesn't completely address the question, though I suspect that it is the answer (I'm surprised there is no definite answer on this).

I ended up port forwarding the entire public ip address ("ip nat inside source static 66.x.y.z") and access-list restricting all but the ports I need for passive FTP.

access-list 100 permit tcp any any eq 20
permit tcp any any eq 21
permit tcp any any range 5000 5100

Of course, by port forwarding the entire IP instead of individual protocol/port, I can no longer SSH to the router because it gets port-forwarded to the server.

So, I have a solution, it works, but is ugly as hell.  There should be at least one official doc out there "How to configure an FTP server behind a Cisco router".

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Force accepted.
EE Admin
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.