Link to home
Create AccountLog in
Avatar of adexio
adexioFlag for Australia

asked on

Publishing FTP Server behind Cisco 877

I have a Cisco 877-K9-IPsec router and I am trying to publish an FTP server to make it accessible from the internet.

FTP Server: 10.3.2.230/255.255.0.0 (its gateway is 10.3.2.242)
Cisco 877: 10.3.2.242

FTP Server works fine on the inside network but not from the internet.  I have added firewall rules to allow FTP from the outside if to inside if but no luck.

Any help appreciated!!!

Cheers,
Ron.


Building configuration...

Current configuration : 6728 bytes
!
version 12.4
service config
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Router2
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 4096 debugging
enable secret xxx
enable password xxx
!
no aaa new-model
!
resource policy
!
clock timezone PCTime 10
clock summer-time PCTime date Mar 30 2003 3:00 Oct 26 2003 2:00
ip subnet-zero
no ip source-route
ip cef
!
!
no ip dhcp use vrf connected
!
!
ip tcp synwait-time 10
no ip bootp server
ip name-server 202.146.209.1
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip inspect name SDM_LOW ftp
no ip ips deny-action ips-interface
!
!
crypto pki trustpoint TP-self-signed-4283823715
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-4283823715
 revocation-check none
 rsakeypair TP-self-signed-4283823715
!
!
crypto pki certificate chain TP-self-signed-4283823715
 certificate self-signed 01
xxxx
  quit
username xxx privilege 15 secret xxx
!
!
!
!
!
interface Null0
 no ip unreachables
!
interface ATM0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 no atm ilmi-keepalive
 dsl operating-mode itu-dmt
!
interface ATM0.1 point-to-point
 description TPG 512 SDSL
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 pvc 8/35
  ubr 512
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface FastEthernet0
 no cdp enable
!
interface FastEthernet1
 shutdown
 no cdp enable
!
interface FastEthernet2
 shutdown
 no cdp enable
!
interface FastEthernet3
 shutdown
 no cdp enable
!
interface Vlan1
 description $FW_INSIDE$
 ip address 10.3.2.242 255.255.0.0
 ip access-group 101 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1412
!
interface Dialer0
 description PeopleTelecom Internet Network $FW_OUTSIDE$
 ip address negotiated
 ip access-group 102 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip mtu 1452
 ip nat outside
 ip inspect SDM_LOW out
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication chap pap callin
 ppp chap hostname xxx
 ppp chap password xxx
 ppp pap sent-username xxx password xxx
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 10.3.2.230 21 interface Dialer0 21
!
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.3.0.0 0.0.255.255
access-list 2 remark HTTP Access-class list
access-list 2 remark SDM_ACL Category=1
access-list 2 permit 10.3.0.0 0.0.255.255
access-list 2 deny   any
access-list 100 remark VTY Access-class list
access-list 100 remark SDM_ACL Category=1
access-list 100 permit ip 10.3.0.0 0.0.255.255 any
access-list 100 deny   ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 permit ip any any
access-list 102 remark auto generated by SDM firewall configuration
access-list 102 remark SDM_ACL Category=1
access-list 102 permit udp host 202.146.209.1 eq domain any
access-list 102 remark FTP Server
access-list 102 permit tcp any eq ftp host 10.3.2.230 log
access-list 102 deny   ip 10.3.0.0 0.0.255.255 any
access-list 102 permit icmp any any echo-reply
access-list 102 permit icmp any any time-exceeded
access-list 102 permit icmp any any unreachable
access-list 102 deny   ip 10.0.0.0 0.255.255.255 any
access-list 102 deny   ip 172.16.0.0 0.15.255.255 any
access-list 102 deny   ip 192.168.0.0 0.0.255.255 any
access-list 102 deny   ip 127.0.0.0 0.255.255.255 any
access-list 102 deny   ip host 255.255.255.255 any
access-list 102 deny   ip host 0.0.0.0 any
access-list 102 deny   ip any any log
dialer-list 1 protocol ip permit
no cdp run
!
route-map clear-df permit 10
 match ip address 5
 set ip df 0
!
!
control-plane
!
!
line con 0
 login local
 no modem enable
 transport output telnet
line aux 0
 login local
 transport output telnet
line vty 0 4
 access-class 100 in
 password xxx
 login local
 transport input telnet
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
no process cpu extended
no process cpu autoprofile hog
end

Avatar of Rick Hobbs
Rick Hobbs
Flag of United States of America image

route inside 10.3.2.230 255.255.0.0 Dialer0 1
Avatar of adexio

ASKER

Hi Rick,

I am new to this so can you please help me identify where to put this route?  I tried to add it via the SDM but is says "Inconsistent address and mask".

Cheers,
Ron
I would telnet to the CLI (Command Line Interface).  Enable, configure terminal, add the line, exit, write memory.
Add it from the CLI with ip route 10.3.2.230 255.255.0.0 Dialer0
I am checking into this further,  I someone else can assist, please do.  I am more familiar with the Cisco PIX and the ASA appliances than the routers and I don't want to give you an incorrect answer,  Basically we need to tell the router that any FTP traffic that shows up on the outside interface needs to be routed to 10.3.2.230.  I am just unsure of the format,  You have allowed it with the access list, but I think you also have to show it where it is.
ASKER CERTIFIED SOLUTION
Avatar of Rick Hobbs
Rick Hobbs
Flag of United States of America image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
You can try 866-562-7219.
dorry, entered that in the wrong question
Avatar of adexio

ASKER

Hi Rick,

The 877 doesn't seem to like this:

Router2(config)#ip nat inside source static tcp 10.3.2.230 ftp interface Dialer0
                                                           ^
% Invalid input detected at '^' marker.

Cheers,
Ron.
Avatar of adexio

ASKER

Ahhh... got it working for Active FTP by fixing an ACL.

Any idea on how to get it to work with Passive FTP?

Cheers,
Ron.
SOLUTION
Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
Avatar of adexio

ASKER

Hi itsManoj,

When I try to add access-list 102 permit tcp any gt 1024 <ftp> established I get the following error:

% Invalid input detected at '^' marker.

The marker is under the < of <ftp>
Avatar of adexio

ASKER

Looks like I'll have to go to Cisco with this one.  Thanks for your help rickhobbs and itsManoj!!
Hi Adexio,

I am having the same problem with the same router... i have tried the soultion provided by rickhobbs but get the same invalid input error... what did you do to the ACL to get Active FTP working?

i have done the translations for port 20 and 21... everything works fine inside my network, i can also telnet into my FTP site from outside my network on port 21
Avatar of adexio

ASKER

Hi,

It was proving too hard to get it to work reliably so I changed out the Cisco for another device.  Sorry I cannot be on any further help!

Cheers,
Ron.