Solved

FTP connection Over a Cisco 851w

Posted on 2009-04-14
2
801 Views
Last Modified: 2012-08-13
Hello Everyone,

            I've a small issue with connection to a ftp server outside of my network. I have a Cisco 851w as default gateway and I want to be able to access any outside ftp server from any computer within the network. I'm actually able to enter login id and passwd, but I'm not able to establish a data connection. I know it'S something related with ACL and ftp response port, but I'm not that good in those topic...It will be better if I can use both passive and active FTP. Find attached a copy of my config's and thanks in advance for your help !
Building configuration...
 

Current configuration : 6905 bytes

!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname MYNAME

!

boot-start-marker

boot-end-marker

!

no logging buffered

enable secret 5 XXX

enable password 7 ZZZ

!

aaa new-model

!

!

aaa authentication login default local

aaa authorization exec default local 
 

!

aaa session-id common

!

crypto pki trustpoint TP-self-signed-4196358538

 enrollment selfsigned

 subject-name cn=IOS-Self-Signed-Certificate-4196358538

 revocation-check none

 rsakeypair TP-self-signed-4196358538

!

!

crypto pki certificate chain TP-self-signed-4196358538

 certificate self-signed 01

  3082024A 308201B3 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 

  69666963 6174652D 34313936 33353835 3338301E 170D3032 30333031 30333330 

  31395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 31393633 

  35383533 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 

  8100B62A 24285F04 0E1749F9 8E723873 02748D90 3A78BC53 637C90F7 B91D49CA 

  0545FE6D 17A4EB7E 7108C493 7CA2F412 750BB672 A0E52CAD CEEC8E30 A8504519 

  6CF1B2C7 580049C9 F524921B BA440C64 67A77150 14215B8E D5CFEC02 79AAC8FD 

  B62B5BE5 90D513DD CF4B84C1 40325A03 7DC84FC5 B5959481 D1CE0176 319286FA

  3CB50203 010001A3 72307030 0F060355 1D130101 FF040530 030101FF 301D0603 

  551D1104 16301482 12434146 45313433 2E64796E 646E732E 6F726730 1F060355 

  1D230418 30168014 3ABB0276 A8B072FD 98B5F0A5 28831694 231D5F83 301D0603 

  551D0E04 1604143A BB0276A8 B072FD98 B5F0A528 83169423 1D5F8330 0D06092A 

  864886F7 0D010104 05000381 810082D0 BB936283 489D7508 4420CBF0 6DBADEEA 

  01B346D2 BAC92C64 45289A5C 21E2492C 971B691D 437A60D1 9318227A 922C3C53 

  35F5D6B4 CA462D95 1A283378 7F93DB91 FD238282 308F3AAB FFDE6ABD 76785456 

  B4457A43 EA7E7FA5 DF132974 D22E20EB 4F0B4C22 157D0175 6958C50B D79BBED0 

  EF21928C 11B4FD27 ADBC7FB0 8CE9

  	quit

dot11 syslog

!

dot11 ssid XYZ

   vlan 20

   authentication open 

   authentication key-management wpa

   guest-mode

   wpa-psk ascii 7 XXX

!

dot11 ssid Secured

   vlan 1

   authentication open 

   authentication key-management wpa

   wpa-psk ascii 7 XXX

!

no ip dhcp use vrf connected

ip dhcp excluded-address 10.2.143.1 10.2.143.99

ip dhcp excluded-address 172.16.0.1 172.16.0.99

!

ip dhcp pool Internal-net

   import all

   network 10.2.143.0 255.255.255.0

   default-router 10.2.143.254 

   domain-name dyndns.org

   lease 4

!

ip dhcp pool VLAN20

   import all

   network 172.16.0.0 255.255.255.0

   default-router 172.16.0.1 

   domain-name dyndns.org

   lease 4

!

!

ip cef

ip inspect name MYFW tcp

ip inspect name MYFW udp

no ip domain lookup

ip domain name dyndns.org

ip ddns update method sdm_ddns1

 HTTP

  add http://ZZZ:XXX@members.dyndns.org/nic/updatesystem=dyndns&hostname=<h>&myip=<a>

  remove http://ZZZ:XXX@members.dyndns.org/nic/updatesystem=dyndns&hostname=<h>&myip=<a>

 interval maximum 28 0 0 0

!

!

vpdn enable

!

!

!

username admin privilege 15 password 7 XXX

! 

!

!

bridge irb

!

!

interface FastEthernet0

 spanning-tree portfast

!

interface FastEthernet1

 spanning-tree portfast

!

interface FastEthernet2

 spanning-tree portfast

!

interface FastEthernet3

spanning-tree portfast

!

interface FastEthernet4

 no ip address

 duplex auto

 speed auto

 pppoe-client dial-pool-number 1

 no cdp enable

!

interface Dot11Radio0

 no ip address

 no dot11 extension aironet

 !

 encryption vlan 1 mode ciphers tkip 

 !

 encryption vlan 20 mode ciphers tkip 

 !

 ssid XXX

 !

 ssid ZZZ

 !

 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0

 channel 2412

 station-role root

 no cdp enable

!

interface Dot11Radio0.1

 encapsulation dot1Q 1 native

 bridge-group 1

 bridge-group 1 subscriber-loop-control

 bridge-group 1 spanning-disabled

 bridge-group 1 block-unknown-source

 no bridge-group 1 source-learning

 no bridge-group 1 unicast-flooding

!

interface Dot11Radio0.20

 description Guest wireless LAN - routed WLAN

 encapsulation dot1Q 20

 ip address 172.16.0.1 255.255.255.0

 ip access-group Guest-ACL in

 ip nat inside

 ip virtual-reassembly

!

interface Vlan1

 description Internal Network

 no ip address

 ip nat inside

 ip virtual-reassembly

 bridge-group 1

 bridge-group 1 spanning-disabled

!

interface Dialer1

 ip dhcp client update dns server none

 ip ddns update sdm_ddns1

 ip address negotiated

 ip access-group Internet-inbound-ACL in

 ip inspect MYFW out

 ip nat outside

 ip virtual-reassembly

 encapsulation ppp

 ip tcp adjust-mss 1452

 dialer pool 1

 dialer-group 1

 ppp authentication pap callin

 ppp pap sent-username XXX password 7 ZZZ

 ppp ipcp dns request

 ppp ipcp address accept

!

 interface BVI1

 description Bridge to Internal Network

 ip address 10.2.143.254 255.255.255.0

 ip nat inside

 ip virtual-reassembly

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Dialer1

!

ip http server

ip http authentication local

ip http secure-server

ip nat inside source static tcp 10.2.143.1 3389 interface Dialer1 3389

ip nat inside source static tcp 10.2.143.1 5900 interface Dialer1 5900

ip nat inside source static tcp 10.2.143.1 5800 interface Dialer1 5800

ip nat inside source route-map SDM_RMAP_1 interface Dialer1 overload

!

ip access-list extended Guest-ACL

 deny   ip any 10.2.143.0 0.0.0.255

 permit ip any any

ip access-list extended Internet-inbound-ACL

 remark CCP_ACL Category=17

 permit udp any eq bootps any eq bootpc

 permit icmp any any echo

 permit icmp any any echo-reply

 permit icmp any any traceroute

 permit gre any any

 permit esp any any

 permit tcp any any eq 22

 permit tcp any host 10.2.143.1 eq 3389

 permit tcp any host 10.2.143.1 eq 5800

 permit tcp any host 10.2.143.1 eq 5900

!

access-list 1 remark CCP_ACL Category=16

access-list 1 permit 10.2.143.0 0.0.0.255

access-list 1 permit 172.16.0.0 0.0.0.255

access-list 100 remark CCP_ACL Category=4

access-list 100 remark IPSec Rule

access-list 100 permit ip 10.2.143.0 0.0.0.255 192.168.0.0 0.0.0.255

access-list 101 remark CCP_ACL Category=2

access-list 101 permit ip 172.16.0.0 0.0.0.255 any

access-list 101 permit ip 10.2.143.0 0.0.0.255 any

dialer-list 1 protocol ip list 1

route-map SDM_RMAP_1 permit 1

 match ip address 101

!

!

control-plane

!

bridge 1 route ip

!

line con 0

 password 7 071B341B18021C5D4E

 no modem enable

line aux 0

line vty 0 4

 password 7 0212110C5D0D0A7915

!

scheduler max-task-time 5000

end

Open in new window

0
Comment
Question by:GMarchand
2 Comments
 
LVL 5

Expert Comment

by:ionut_mir
ID: 24145990
The idea is that FTP uses to ports 20 and 21. If you are saying that you are able to login this mean that port 21 is allowed and 20 is not.
I don't see though in your configuration where is port 21 allowed, but maybe I am missing it.

Come back with more info.

Good luck!
0
 

Accepted Solution

by:
GMarchand earned 0 total points
ID: 24153693
Thanks for your time, but I re-configure the router completly yesterday and it's now working. I think there was an ACL missing or something.

Sorry about that !
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

I have seen some questions on problems with SSH/telnet access to Cisco routers that may occur despite the fact that from a PC connected to your LAN, Internet connectivity is in place and users can access Internet sites without any issues.  There are…
Problem Description:   Couple of months ago we upgraded the ADSL line at our branch office from Home to Business line. The purpose of transforming the service to have static public IP’s. We were in need for public IP’s to publish our web resour…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now