adexio
asked on
Publishing FTP Server behind Cisco 877
I have a Cisco 877-K9-IPsec router and I am trying to publish an FTP server to make it accessible from the internet.
FTP Server: 10.3.2.230/255.255.0.0 (its gateway is 10.3.2.242)
Cisco 877: 10.3.2.242
FTP Server works fine on the inside network but not from the internet. I have added firewall rules to allow FTP from the outside if to inside if but no luck.
Any help appreciated!!!
Cheers,
Ron.
Building configuration...
Current configuration : 6728 bytes
!
version 12.4
service config
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Router2
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 4096 debugging
enable secret xxx
enable password xxx
!
no aaa new-model
!
resource policy
!
clock timezone PCTime 10
clock summer-time PCTime date Mar 30 2003 3:00 Oct 26 2003 2:00
ip subnet-zero
no ip source-route
ip cef
!
!
no ip dhcp use vrf connected
!
!
ip tcp synwait-time 10
no ip bootp server
ip name-server 202.146.209.1
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip inspect name SDM_LOW ftp
no ip ips deny-action ips-interface
!
!
crypto pki trustpoint TP-self-signed-4283823715
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi cate-42838 23715
revocation-check none
rsakeypair TP-self-signed-4283823715
!
!
crypto pki certificate chain TP-self-signed-4283823715
certificate self-signed 01
xxxx
quit
username xxx privilege 15 secret xxx
!
!
!
!
!
interface Null0
no ip unreachables
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
no atm ilmi-keepalive
dsl operating-mode itu-dmt
!
interface ATM0.1 point-to-point
description TPG 512 SDSL
no ip redirects
no ip unreachables
no ip proxy-arp
pvc 8/35
ubr 512
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0
no cdp enable
!
interface FastEthernet1
shutdown
no cdp enable
!
interface FastEthernet2
shutdown
no cdp enable
!
interface FastEthernet3
shutdown
no cdp enable
!
interface Vlan1
description $FW_INSIDE$
ip address 10.3.2.242 255.255.0.0
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1412
!
interface Dialer0
description PeopleTelecom Internet Network $FW_OUTSIDE$
ip address negotiated
ip access-group 102 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1452
ip nat outside
ip inspect SDM_LOW out
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname xxx
ppp chap password xxx
ppp pap sent-username xxx password xxx
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 10.3.2.230 21 interface Dialer0 21
!
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.3.0.0 0.0.255.255
access-list 2 remark HTTP Access-class list
access-list 2 remark SDM_ACL Category=1
access-list 2 permit 10.3.0.0 0.0.255.255
access-list 2 deny any
access-list 100 remark VTY Access-class list
access-list 100 remark SDM_ACL Category=1
access-list 100 permit ip 10.3.0.0 0.0.255.255 any
access-list 100 deny ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 permit ip any any
access-list 102 remark auto generated by SDM firewall configuration
access-list 102 remark SDM_ACL Category=1
access-list 102 permit udp host 202.146.209.1 eq domain any
access-list 102 remark FTP Server
access-list 102 permit tcp any eq ftp host 10.3.2.230 log
access-list 102 deny ip 10.3.0.0 0.0.255.255 any
access-list 102 permit icmp any any echo-reply
access-list 102 permit icmp any any time-exceeded
access-list 102 permit icmp any any unreachable
access-list 102 deny ip 10.0.0.0 0.255.255.255 any
access-list 102 deny ip 172.16.0.0 0.15.255.255 any
access-list 102 deny ip 192.168.0.0 0.0.255.255 any
access-list 102 deny ip 127.0.0.0 0.255.255.255 any
access-list 102 deny ip host 255.255.255.255 any
access-list 102 deny ip host 0.0.0.0 any
access-list 102 deny ip any any log
dialer-list 1 protocol ip permit
no cdp run
!
route-map clear-df permit 10
match ip address 5
set ip df 0
!
!
control-plane
!
!
line con 0
login local
no modem enable
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
access-class 100 in
password xxx
login local
transport input telnet
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
no process cpu extended
no process cpu autoprofile hog
end
FTP Server: 10.3.2.230/255.255.0.0 (its gateway is 10.3.2.242)
Cisco 877: 10.3.2.242
FTP Server works fine on the inside network but not from the internet. I have added firewall rules to allow FTP from the outside if to inside if but no luck.
Any help appreciated!!!
Cheers,
Ron.
Building configuration...
Current configuration : 6728 bytes
!
version 12.4
service config
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Router2
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 4096 debugging
enable secret xxx
enable password xxx
!
no aaa new-model
!
resource policy
!
clock timezone PCTime 10
clock summer-time PCTime date Mar 30 2003 3:00 Oct 26 2003 2:00
ip subnet-zero
no ip source-route
ip cef
!
!
no ip dhcp use vrf connected
!
!
ip tcp synwait-time 10
no ip bootp server
ip name-server 202.146.209.1
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip inspect name SDM_LOW ftp
no ip ips deny-action ips-interface
!
!
crypto pki trustpoint TP-self-signed-4283823715
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi
revocation-check none
rsakeypair TP-self-signed-4283823715
!
!
crypto pki certificate chain TP-self-signed-4283823715
certificate self-signed 01
xxxx
quit
username xxx privilege 15 secret xxx
!
!
!
!
!
interface Null0
no ip unreachables
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
no atm ilmi-keepalive
dsl operating-mode itu-dmt
!
interface ATM0.1 point-to-point
description TPG 512 SDSL
no ip redirects
no ip unreachables
no ip proxy-arp
pvc 8/35
ubr 512
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0
no cdp enable
!
interface FastEthernet1
shutdown
no cdp enable
!
interface FastEthernet2
shutdown
no cdp enable
!
interface FastEthernet3
shutdown
no cdp enable
!
interface Vlan1
description $FW_INSIDE$
ip address 10.3.2.242 255.255.0.0
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1412
!
interface Dialer0
description PeopleTelecom Internet Network $FW_OUTSIDE$
ip address negotiated
ip access-group 102 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1452
ip nat outside
ip inspect SDM_LOW out
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname xxx
ppp chap password xxx
ppp pap sent-username xxx password xxx
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 10.3.2.230 21 interface Dialer0 21
!
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.3.0.0 0.0.255.255
access-list 2 remark HTTP Access-class list
access-list 2 remark SDM_ACL Category=1
access-list 2 permit 10.3.0.0 0.0.255.255
access-list 2 deny any
access-list 100 remark VTY Access-class list
access-list 100 remark SDM_ACL Category=1
access-list 100 permit ip 10.3.0.0 0.0.255.255 any
access-list 100 deny ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 permit ip any any
access-list 102 remark auto generated by SDM firewall configuration
access-list 102 remark SDM_ACL Category=1
access-list 102 permit udp host 202.146.209.1 eq domain any
access-list 102 remark FTP Server
access-list 102 permit tcp any eq ftp host 10.3.2.230 log
access-list 102 deny ip 10.3.0.0 0.0.255.255 any
access-list 102 permit icmp any any echo-reply
access-list 102 permit icmp any any time-exceeded
access-list 102 permit icmp any any unreachable
access-list 102 deny ip 10.0.0.0 0.255.255.255 any
access-list 102 deny ip 172.16.0.0 0.15.255.255 any
access-list 102 deny ip 192.168.0.0 0.0.255.255 any
access-list 102 deny ip 127.0.0.0 0.255.255.255 any
access-list 102 deny ip host 255.255.255.255 any
access-list 102 deny ip host 0.0.0.0 any
access-list 102 deny ip any any log
dialer-list 1 protocol ip permit
no cdp run
!
route-map clear-df permit 10
match ip address 5
set ip df 0
!
!
control-plane
!
!
line con 0
login local
no modem enable
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
access-class 100 in
password xxx
login local
transport input telnet
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
no process cpu extended
no process cpu autoprofile hog
end
route inside 10.3.2.230 255.255.0.0 Dialer0 1
ASKER
Hi Rick,
I am new to this so can you please help me identify where to put this route? I tried to add it via the SDM but is says "Inconsistent address and mask".
Cheers,
Ron
I am new to this so can you please help me identify where to put this route? I tried to add it via the SDM but is says "Inconsistent address and mask".
Cheers,
Ron
I would telnet to the CLI (Command Line Interface). Enable, configure terminal, add the line, exit, write memory.
Add it from the CLI with ip route 10.3.2.230 255.255.0.0 Dialer0
I am checking into this further, I someone else can assist, please do. I am more familiar with the Cisco PIX and the ASA appliances than the routers and I don't want to give you an incorrect answer, Basically we need to tell the router that any FTP traffic that shows up on the outside interface needs to be routed to 10.3.2.230. I am just unsure of the format, You have allowed it with the access list, but I think you also have to show it where it is.
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
You can try 866-562-7219.
dorry, entered that in the wrong question
ASKER
Hi Rick,
The 877 doesn't seem to like this:
Router2(config)#ip nat inside source static tcp 10.3.2.230 ftp interface Dialer0
^
% Invalid input detected at '^' marker.
Cheers,
Ron.
The 877 doesn't seem to like this:
Router2(config)#ip nat inside source static tcp 10.3.2.230 ftp interface Dialer0
^
% Invalid input detected at '^' marker.
Cheers,
Ron.
ASKER
Ahhh... got it working for Active FTP by fixing an ACL.
Any idea on how to get it to work with Passive FTP?
Cheers,
Ron.
Any idea on how to get it to work with Passive FTP?
Cheers,
Ron.
SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
Hi itsManoj,
When I try to add access-list 102 permit tcp any gt 1024 <ftp> established I get the following error:
% Invalid input detected at '^' marker.
The marker is under the < of <ftp>
When I try to add access-list 102 permit tcp any gt 1024 <ftp> established I get the following error:
% Invalid input detected at '^' marker.
The marker is under the < of <ftp>
ASKER
Looks like I'll have to go to Cisco with this one. Thanks for your help rickhobbs and itsManoj!!
Hi Adexio,
I am having the same problem with the same router... i have tried the soultion provided by rickhobbs but get the same invalid input error... what did you do to the ACL to get Active FTP working?
i have done the translations for port 20 and 21... everything works fine inside my network, i can also telnet into my FTP site from outside my network on port 21
I am having the same problem with the same router... i have tried the soultion provided by rickhobbs but get the same invalid input error... what did you do to the ACL to get Active FTP working?
i have done the translations for port 20 and 21... everything works fine inside my network, i can also telnet into my FTP site from outside my network on port 21
ASKER
Hi,
It was proving too hard to get it to work reliably so I changed out the Cisco for another device. Sorry I cannot be on any further help!
Cheers,
Ron.
It was proving too hard to get it to work reliably so I changed out the Cisco for another device. Sorry I cannot be on any further help!
Cheers,
Ron.