[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2121
  • Last Modified:

Cisco IOS: Can't get Passive FTP opened through PAT/ACL

Hi -

For some time, I've had a fully functional FTP site running on IIS 6.0, accessed through a router running IOS 12.4.  The one complication is that the internet connection is dynamically addressed PPPoE ADSL.  I've limited the high passive ports to 31000-31200. The successful IOS code for this is:

----------------------------------------------------------------
ip nat inside source static tcp 192.168.1.50 21 interface Dialer1 21
ip nat inside source route-map FTP interface Dialer1 overload

ip access-list extended ftp-pasv
 permit tcp any host 192.168.1.50 range 31000 31200

ip access-list extended internet
 permit tcp any any established
 permit tcp any any eq ftp
 permit tcp any any range 31000 31200
 etc...

route-map FTP permit 10
 match ip address ftp-pasv
-----------------------------------------------------


Now the trick is that I need to set up a second FTP site on the same server that I've configured to listed on port 8021, and also use 31000 - 31200 for the high passive ports.

It seems to me that all I should need to add in IOS is this:

ip nat inside source static tcp 192.168.1.50 8021 interface Dialer1 21
ip access-list extended internet
 permit tcp any any eq 8021

This doesn't work, though. The original site listening on 21 is still accessible from outside, but the new site listening on 8021 is not.  Both sites work from inside the local LAN.

When I access the 8021 site from outside, I can hit port 8021 (and get prompted for login credentials), but no data connections are ever made on the high ports.  I can verify this from both the client and the server using netstat (connection on 8021, but not high port).

I must be missing something obvious here.  Any ideas?


Thanks!
0
noahisaac
Asked:
noahisaac
  • 8
  • 7
1 Solution
 
JFrederick29Commented:
Try adding this:

ip access-list extended ftp-pasv
 permit tcp any host 192.168.1.x range 31000 31200  <--where 192.168.1.x is the new server
0
 
noahisaacAuthor Commented:
Hi JFrederick29 -

Sorry, I had not indicated on the original question.  This is on the same server.


Thanks!
0
 
noahisaacAuthor Commented:
Also, I noticed I typed this incorrectly:

ip nat inside source static tcp 192.168.1.50 8021 interface Dialer1 21

It should read:

ip nat inside source static tcp 192.168.1.50 8021 interface Dialer1 8021

(this is what's in this router that doesn't work).


Thanks!
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
JFrederick29Commented:
Ahh, okay.  If it is the same server, why the different port?
0
 
JFrederick29Commented:
Ahh, okay, nevermind again.  That was my next question :)
0
 
JFrederick29Commented:
I wonder if there is some inspection taking place that looks in the payload of the port 21 FTP connection which isn't taking place with 8021.  Do you have the IOS Firewall running on this router by chance?
0
 
noahisaacAuthor Commented:
> I wonder if there is some inspection taking place that looks in the payload of the port 21 FTP
> connection which isn't taking place with 8021.  Do you have the IOS Firewall running on this
> router by chance?

No, IOS firewall is off, and I'm not using any "ip inspect" statements.  

If I look at "show ip nat trans" for sessions to the 8021 site from both inside and outside the lan, they look the same.  I'm confused!
0
 
JFrederick29Commented:
There is still some NAT awareness by default.

Can you assign a virtual IP to the 8021 FTP site?

If you do that, you can then use the following which I think will resolve the issue.

ip nat service list 10 ftp tcp port 8021
access-list 10 permit 192.168.0.x    <--virtual IP of 8021 site

You can try using the 192.168.0.50 address but I'm not sure if it will ignore the 21 FTP connection at that point and break the working site (hence the new IP for the 8021 site).

You would then need to update your NAT appropriately using the new IP:

no ip nat inside source static tcp 192.168.1.50 8021 interface Dialer1 8021
ip nat inside source static tcp 192.168.1.x 8021 interface Dialer1 8021
0
 
JFrederick29Commented:
No need for second IP:

This should work:

ip nat service list 10 ftp tcp port 8021
ip nat service list 10 ftp tcp port 21
access-list 10 permit 192.168.0.50

This allows both 21 and 8021 from the same IP.
0
 
noahisaacAuthor Commented:
Hi JFrederick29 -

Thanks for all the assistance!  Unfortunately, neither of these possibilities worked.  In both cases, the result was the same (connection on 8021, but no connection on high port).  Maybe this 871W router doesn't support the "ip nat service list" feature?


Thanks!
0
 
JFrederick29Commented:
Hmm.  It should, it was added in 12.3 something I am pretty sure.

Can you post the pertinent NAT config and access-list again?
0
 
noahisaacAuthor Commented:
I've got it configured for the multiple IP option right now.  The relevant portions of the config are:

ip nat service list 10 ftp tcp port 8021
ip nat inside source static tcp 192.168.1.55 8021 interface Dialer1 8021
ip nat inside source static tcp 192.168.1.50 21 interface Dialer1 21
ip nat inside source static tcp 192.168.1.50 20 interface Dialer1 20
ip nat inside source route-map FTP interface Dialer1 overload

ip access-list extended ftp-pasv
 permit tcp any host 192.168.1.50 range 31000 31200
 permit tcp any host 192.168.1.55 range 31000 31200

route-map FTP permit 10
 match ip address ftp-pasv

ip access-list extended internet
 permit tcp any any established
 permit tcp any any eq ftp
 permit tcp any any eq 8021
 permit tcp any any range 31000 31200

access-list 10 permit 192.168.1.55
0
 
JFrederick29Commented:
Try this for grins:

conf t
ip access-list extended ftp-pasv
no permit tcp any host 192.168.1.55 range 31000 31200

ip nat inside source static tcp 192.168.1.55 31500 interface Dialer1 31500
ip nat inside source static tcp 192.168.1.55 31501 interface Dialer1 31501
ip nat inside source static tcp 192.168.1.55 31502 interface Dialer1 31502
ip nat inside source static tcp 192.168.1.55 31503 interface Dialer1 31503
ip nat inside source static tcp 192.168.1.55 31504 interface Dialer1 31504
ip nat inside source static tcp 192.168.1.55 31505 interface Dialer1 31505

ip access-list extended internet
permit tcp any any range 31500 31505

Then change the passive range on the 8021 FTP site to 31500 through 31505.
0
 
noahisaacAuthor Commented:
Unfortunately, I don't think I can change IIS to use one port range on one ftp site and a different port range on a second ftp site.  The passive port range settings are system-wide.  

I'm sorta coming up blank right now. I'll keep messing around with this, though.  

Thanks again for all your help, JFrederick29!
0
 
noahisaacAuthor Commented:
Hi Jfrederick29 -

Sorry, this is a very old thread now.  This was basically it.  In other words, IOS wasn't natting the second port range (defined by acl) as it had done with the first.  I had to explicitly create NAT statements for each port number.  Kind of annoying.  Maybe I can convince this client to get a block of static IP's so we can avoid this kind of garbage in the future.

Thanks!
Noah
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 8
  • 7
Tackle projects and never again get stuck behind a technical roadblock.
Join Now