Solved

FTP connection Over a Cisco 851w

Posted on 2009-04-14
2
806 Views
Last Modified: 2012-08-13
Hello Everyone,

            I've a small issue with connection to a ftp server outside of my network. I have a Cisco 851w as default gateway and I want to be able to access any outside ftp server from any computer within the network. I'm actually able to enter login id and passwd, but I'm not able to establish a data connection. I know it'S something related with ACL and ftp response port, but I'm not that good in those topic...It will be better if I can use both passive and active FTP. Find attached a copy of my config's and thanks in advance for your help !
Building configuration...
 
Current configuration : 6905 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname MYNAME
!
boot-start-marker
boot-end-marker
!
no logging buffered
enable secret 5 XXX
enable password 7 ZZZ
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local 
 
!
aaa session-id common
!
crypto pki trustpoint TP-self-signed-4196358538
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-4196358538
 revocation-check none
 rsakeypair TP-self-signed-4196358538
!
!
crypto pki certificate chain TP-self-signed-4196358538
 certificate self-signed 01
  3082024A 308201B3 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 
  69666963 6174652D 34313936 33353835 3338301E 170D3032 30333031 30333330 
  31395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 31393633 
  35383533 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 
  8100B62A 24285F04 0E1749F9 8E723873 02748D90 3A78BC53 637C90F7 B91D49CA 
  0545FE6D 17A4EB7E 7108C493 7CA2F412 750BB672 A0E52CAD CEEC8E30 A8504519 
  6CF1B2C7 580049C9 F524921B BA440C64 67A77150 14215B8E D5CFEC02 79AAC8FD 
  B62B5BE5 90D513DD CF4B84C1 40325A03 7DC84FC5 B5959481 D1CE0176 319286FA
  3CB50203 010001A3 72307030 0F060355 1D130101 FF040530 030101FF 301D0603 
  551D1104 16301482 12434146 45313433 2E64796E 646E732E 6F726730 1F060355 
  1D230418 30168014 3ABB0276 A8B072FD 98B5F0A5 28831694 231D5F83 301D0603 
  551D0E04 1604143A BB0276A8 B072FD98 B5F0A528 83169423 1D5F8330 0D06092A 
  864886F7 0D010104 05000381 810082D0 BB936283 489D7508 4420CBF0 6DBADEEA 
  01B346D2 BAC92C64 45289A5C 21E2492C 971B691D 437A60D1 9318227A 922C3C53 
  35F5D6B4 CA462D95 1A283378 7F93DB91 FD238282 308F3AAB FFDE6ABD 76785456 
  B4457A43 EA7E7FA5 DF132974 D22E20EB 4F0B4C22 157D0175 6958C50B D79BBED0 
  EF21928C 11B4FD27 ADBC7FB0 8CE9
  	quit
dot11 syslog
!
dot11 ssid XYZ
   vlan 20
   authentication open 
   authentication key-management wpa
   guest-mode
   wpa-psk ascii 7 XXX
!
dot11 ssid Secured
   vlan 1
   authentication open 
   authentication key-management wpa
   wpa-psk ascii 7 XXX
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.2.143.1 10.2.143.99
ip dhcp excluded-address 172.16.0.1 172.16.0.99
!
ip dhcp pool Internal-net
   import all
   network 10.2.143.0 255.255.255.0
   default-router 10.2.143.254 
   domain-name dyndns.org
   lease 4
!
ip dhcp pool VLAN20
   import all
   network 172.16.0.0 255.255.255.0
   default-router 172.16.0.1 
   domain-name dyndns.org
   lease 4
!
!
ip cef
ip inspect name MYFW tcp
ip inspect name MYFW udp
no ip domain lookup
ip domain name dyndns.org
ip ddns update method sdm_ddns1
 HTTP
  add http://ZZZ:XXX@members.dyndns.org/nic/updatesystem=dyndns&hostname=<h>&myip=<a>
  remove http://ZZZ:XXX@members.dyndns.org/nic/updatesystem=dyndns&hostname=<h>&myip=<a>
 interval maximum 28 0 0 0
!
!
vpdn enable
!
!
!
username admin privilege 15 password 7 XXX
! 
!
!
bridge irb
!
!
interface FastEthernet0
 spanning-tree portfast
!
interface FastEthernet1
 spanning-tree portfast
!
interface FastEthernet2
 spanning-tree portfast
!
interface FastEthernet3
spanning-tree portfast
!
interface FastEthernet4
 no ip address
 duplex auto
 speed auto
 pppoe-client dial-pool-number 1
 no cdp enable
!
interface Dot11Radio0
 no ip address
 no dot11 extension aironet
 !
 encryption vlan 1 mode ciphers tkip 
 !
 encryption vlan 20 mode ciphers tkip 
 !
 ssid XXX
 !
 ssid ZZZ
 !
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
 channel 2412
 station-role root
 no cdp enable
!
interface Dot11Radio0.1
 encapsulation dot1Q 1 native
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Dot11Radio0.20
 description Guest wireless LAN - routed WLAN
 encapsulation dot1Q 20
 ip address 172.16.0.1 255.255.255.0
 ip access-group Guest-ACL in
 ip nat inside
 ip virtual-reassembly
!
interface Vlan1
 description Internal Network
 no ip address
 ip nat inside
 ip virtual-reassembly
 bridge-group 1
 bridge-group 1 spanning-disabled
!
interface Dialer1
 ip dhcp client update dns server none
 ip ddns update sdm_ddns1
 ip address negotiated
 ip access-group Internet-inbound-ACL in
 ip inspect MYFW out
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 ip tcp adjust-mss 1452
 dialer pool 1
 dialer-group 1
 ppp authentication pap callin
 ppp pap sent-username XXX password 7 ZZZ
 ppp ipcp dns request
 ppp ipcp address accept
!
 interface BVI1
 description Bridge to Internal Network
 ip address 10.2.143.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
!
ip http server
ip http authentication local
ip http secure-server
ip nat inside source static tcp 10.2.143.1 3389 interface Dialer1 3389
ip nat inside source static tcp 10.2.143.1 5900 interface Dialer1 5900
ip nat inside source static tcp 10.2.143.1 5800 interface Dialer1 5800
ip nat inside source route-map SDM_RMAP_1 interface Dialer1 overload
!
ip access-list extended Guest-ACL
 deny   ip any 10.2.143.0 0.0.0.255
 permit ip any any
ip access-list extended Internet-inbound-ACL
 remark CCP_ACL Category=17
 permit udp any eq bootps any eq bootpc
 permit icmp any any echo
 permit icmp any any echo-reply
 permit icmp any any traceroute
 permit gre any any
 permit esp any any
 permit tcp any any eq 22
 permit tcp any host 10.2.143.1 eq 3389
 permit tcp any host 10.2.143.1 eq 5800
 permit tcp any host 10.2.143.1 eq 5900
!
access-list 1 remark CCP_ACL Category=16
access-list 1 permit 10.2.143.0 0.0.0.255
access-list 1 permit 172.16.0.0 0.0.0.255
access-list 100 remark CCP_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 10.2.143.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 101 remark CCP_ACL Category=2
access-list 101 permit ip 172.16.0.0 0.0.0.255 any
access-list 101 permit ip 10.2.143.0 0.0.0.255 any
dialer-list 1 protocol ip list 1
route-map SDM_RMAP_1 permit 1
 match ip address 101
!
!
control-plane
!
bridge 1 route ip
!
line con 0
 password 7 071B341B18021C5D4E
 no modem enable
line aux 0
line vty 0 4
 password 7 0212110C5D0D0A7915
!
scheduler max-task-time 5000
end

Open in new window

0
Comment
Question by:GMarchand
2 Comments
 
LVL 5

Expert Comment

by:ionut_mir
ID: 24145990
The idea is that FTP uses to ports 20 and 21. If you are saying that you are able to login this mean that port 21 is allowed and 20 is not.
I don't see though in your configuration where is port 21 allowed, but maybe I am missing it.

Come back with more info.

Good luck!
0
 

Accepted Solution

by:
GMarchand earned 0 total points
ID: 24153693
Thanks for your time, but I re-configure the router completly yesterday and it's now working. I think there was an ACL missing or something.

Sorry about that !
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question