Port Forwarding for ftp and web server with cisco 1811 router.

Hahah! .. as usual you got it !! ..
Big thank again for your help ! Its so helpfull..

So right now .. i suppose that i have to replace FTP by any Application Protocol name from Port to applocation Mappings in the SDM like http or SQLserv .. with the right port in it!?

No problem at all.

Yes, you will need to add this for every port you want to allow inbound with obviously changing the port/protocol to suit.

Oooops .. i made a mistake .. i test it internaly .. :( ..

My FTP is not working from outside !!

There is my current config :

!This is the running config of the router: 192.168.0.1
!----------------------------------------------------------------------------
!version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname trikebhq
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
logging console critical
enable secret 5 *********************************
!
no aaa new-model
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-452422327
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-452422327
 revocation-check none
 rsakeypair TP-self-signed-452422327
!
!
crypto pki certificate chain TP-self-signed-452422327
 certificate self-signed 01
  30820249 308201B2 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 
  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274 
  69666963 6174652D 34353234 32323332 37301E17 0D303831 32303832 32333431 
  375A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F 
  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3435 32343232 
  33323730 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100 
  D6977F6E 832BB56A 840733F4 DC37D6B1 BAF03333 5CBE36F3 B4054663 EA8FD996 
  1A8875D3 00041415 83005496 DF883050 2A5B134A 98C407BE 4B8630E4 08877353 
  EC06E833 5DBD0B08 6826E4F7 B3456E76 EB9983B2 6F9CBE22 B90FFDA2 8C1FDAD4 
  576513D3 9BFF3F69 A245664D A045E9E6 09FBEF53 81902F79 55EAAAA4 F7F3F505 
  02030100 01A37330 71300F06 03551D13 0101FF04 05300301 01FF301E 0603551D 
  11041730 15821374 72696B65 6268712E 7472696B 65622E63 6F6D301F 0603551D 
  23041830 16801467 2B803651 55FCA776 32B95C05 142B5603 5F47CE30 1D060355 
  1D0E0416 0414672B 80365155 FCA77632 B95C0514 2B56035F 47CE300D 06092A86 
  4886F70D 01010405 00038181 00B1095B ED4E702D F5E1EF2E 89926B54 2E177672 
  80206E54 E8E5DC5F FE3E0F31 6F907F00 A2B1A1C2 BD5D54C5 CE01FCA0 F2F4DE10 
  0C3359C7 5FAAD126 DB3114E8 7C898BA9 FB9CD937 66127A1C A3D33727 3BF2CE50 
  BB0618E0 666B1FB1 B6415500 15E6955C 0011FD1E 207E764A A88EAB53 7F2A0264 
  8F21CE13 42D90134 FA9B5CC9 37
  	quit
! 
!
!
dot11 ssid Trikeb2
   authentication open 
!
no ip source-route
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.0.1 192.168.0.99
!
ip dhcp pool sdm-pool1
   network 192.168.0.0 255.255.255.0
   dns-server 192.168.0.10 
   default-router 192.168.0.1 
!
ip dhcp pool AccessPoint
   hardware-address 001a.70aa.e665
!
!
no ip bootp server
ip domain name trikeb.com
ip name-server 205.151.67.2
ip name-server 205.151.67.6
ip name-server 205.236.148.130
!
multilink bundle-name authenticated
!
!
username ********* privilege 15 secret 5 *****************************
archive
 log config
  hidekeys
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
class-map type inspect match-all sdm-nat-http-1
 match access-group 101
 match protocol http
class-map type inspect match-all sdm-nat-http-2
 match access-group 102
 match protocol http
class-map type inspect match-any sdm-cls-insp-traffic
 match protocol cuseeme
 match protocol dns
 match protocol ftp
 match protocol h323
 match protocol https
 match protocol icmp
 match protocol imap
 match protocol pop3
 match protocol netshow
 match protocol shell
 match protocol realmedia
 match protocol rtsp
 match protocol smtp extended
 match protocol sql-net
 match protocol streamworks
 match protocol tftp
 match protocol vdolive
 match protocol tcp
 match protocol udp
class-map type inspect match-all sdm-insp-traffic
 match class-map sdm-cls-insp-traffic
class-map type inspect match-any SDM-Voice-permit
 match protocol h323
 match protocol skinny
 match protocol sip
class-map type inspect match-any sdm-cls-icmp-access
 match protocol icmp
 match protocol tcp
 match protocol udp
class-map type inspect match-all sdm-icmp-access
 match class-map sdm-cls-icmp-access
class-map type inspect match-all sdm-invalid-src
 match access-group 100
class-map type inspect match-all sdm-protocol-http
 match protocol http
class-map type inspect match-all sdm-nat-ftp-1
 match access-group 103
 match protocol ftp
!
!
policy-map type inspect sdm-permit-icmpreply
 class type inspect sdm-icmp-access
  inspect
 class class-default
  pass
policy-map type inspect sdm-pol-NATOutsideToInside-1
 class type inspect sdm-nat-http-1
  inspect
 class type inspect sdm-nat-http-2
  inspect
 class type inspect sdm-nat-ftp-1
  inspect
 class class-default
policy-map type inspect sdm-inspect
 class type inspect sdm-invalid-src
  drop log
 class type inspect sdm-insp-traffic
  inspect
 class type inspect sdm-protocol-http
  inspect
 class type inspect SDM-Voice-permit
  inspect
 class class-default
  pass
policy-map type inspect sdm-permit
 class class-default
!
zone security out-zone
zone security in-zone
zone-pair security sdm-zp-self-out source self destination out-zone
 service-policy type inspect sdm-permit-icmpreply
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
 service-policy type inspect sdm-pol-NATOutsideToInside-1
zone-pair security sdm-zp-out-self source out-zone destination self
 service-policy type inspect sdm-permit
zone-pair security sdm-zp-in-out source in-zone destination out-zone
 service-policy type inspect sdm-inspect
bridge irb
!
!
!
interface FastEthernet0
 description $ETH-WAN$$FW_OUTSIDE$
 ip address 24.226.183.86 255.255.255.192
 ip mask-reply
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 zone-member security out-zone
 ip route-cache flow
 duplex auto
 speed auto
!
interface FastEthernet1
 description $ETH-WAN$
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 duplex auto
 speed auto
 pppoe enable group global
 pppoe-client dial-pool-number 1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Dot11Radio0
 no ip address
 !
 ssid Trikeb2
 !
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Dot11Radio1
 no ip address
 !
 ssid Trikeb2
 !
 speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$$FW_INSIDE$
 no ip address
 ip tcp adjust-mss 1452
 bridge-group 1
!
interface Async1
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 encapsulation slip
!
interface Dialer1
 description $FW_OUTSIDE$
 ip address negotiated
 ip mtu 1452
 ip nat outside
 ip virtual-reassembly
 zone-member security out-zone
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication pap callin
 ppp pap sent-username ******** password 7 *************
!
interface BVI1
 description $ES_LAN$$FW_INSIDE$
 ip address 192.168.0.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 zone-member security in-zone
 ip tcp adjust-mss 1412
!
ip route 0.0.0.0 0.0.0.0 24.226.183.65
ip route 0.0.0.0 0.0.0.0 Dialer1
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map cable interface FastEthernet0 overload
ip nat inside source route-map pppoe interface Dialer1 overload
ip nat inside source static tcp 192.168.0.7 21 24.226.183.86 21 extendable
!
logging trap debugging
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 2 remark INSIDE_IF=BVI1
access-list 2 remark SDM_ACL Category=2
access-list 2 permit 192.168.0.0 0.0.0.255
access-list 100 remark SDM_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 24.226.183.64 0.0.0.63 any
access-list 101 remark SDM_ACL Category=0
access-list 101 permit ip any host 192.168.0.10
access-list 102 remark SDM_ACL Category=0
access-list 102 permit ip any host 192.168.0.10
access-list 103 permit tcp any any eq ftp
dialer-list 1 protocol ip permit
dialer-list 2 protocol ip permit
no cdp run
!
!
!
route-map cable permit 10
 match ip address 1
 match interface FastEthernet0
!
route-map pppoe permit 10
 match ip address 2
 match interface Dialer1
!
!
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner login ^CCAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user Fucker!!^C
!
line con 0
 login local
 transport output telnet
line 1
 modem InOut
 stopbits 1
 speed 115200
 flowcontrol hardware
line aux 0
 login local
 transport output telnet
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
line vty 5 15
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler allocate 4000 1000
scheduler interval 500
 
!
webvpn cef
end

Select allOpen in new window

Lol,

Okay, try this.

policy-map type inspect sdm-permit
class type inspect sdm-nat-ftp-1
  inspect

Error message when typing : Inspect

%Protocol ftp configured in class-map sdm-nat-ftp-1 cannot be configured for the
 self zone. Please remove the protocol and retry

I'm testing it with the FE0 .. remember that i have 2 wan interfaces.

Okay, lets try this:

conf t
class-map type inspect match-all sdm-nat-ftp-1
no match access-group 103

i tried this .. i test the ftp .. no access from outside.. i re-enter the code you send me before but got the same error message.

Hmm.  I am able to connect to your FTP server.  Are you able to connect but can't login or something else?  Do you at least get this:

220-Microsoft FTP Service
220 Hellllllo
etc...

No .. i didn't get this !!!..

I tried from another wan in the building and get no respons at all!
With FileZilla we got this error message : "ECONNREFUSED - Connection refused by server".
I tried with IE and firefox and .. can't connect too ! .. i put Anonymous connection enable.

Let's try with http ..
Is those line are ok ??

access-list 103 permit tcp any any eq http

class-map type inspect match-all sdm-nat-http-1
 match access-group 103
 match protocol http

policy-map type inspect sdm-pol-NATOutsideToInside-1
 class type inspect sdm-nat-http-1
  inspect

ip nat inside source static tcp 192.168.0.X 80 24.226.183.86 80 extendable

That is weird that you don't get the login prompt as the router is allowing FTP connections from any source.  You are attempting from outside your network right?  You can't connect to the public IP from inside your network, it has to be attempted from the Internet.  Try Windows command prompt:

Start, Run, cmd
ftp 24.226.183.86

That should work for HTTP.  HTTP is simpler since it is one port whereas FTP opens dynamic ports, etc...

You were right again !! heheh .. its all working now !!! .. Thank you for your precious help !!