Cisco 1841 router version12.4 FTP access rules issue

Im working with a Cisco 1841 Series Router Version 12.4. Im trying to get some rules setup to allow FTP access to our GlobalScape EFT 6.0.1 server via the Internet. I think the problem at this point is the router not opening passive ports needed when accessing through a browser window such as Explorer or IE. Access works perfectly internally but when trying to access from the www I get a prompt for credentials then the session times out during/after authentication. Here are the rules I have created so far. Any ideas what is missing? Thank you in advance for any assistance.

ip nat inside source static tcp 10.10.1.2 20 12.x.x.x 20 extendable
ip nat inside source static tcp 10.10.1.2 21 12.x.x.x 21 extendable

access-list 100 permit ip 10.10.1.0 0.0.0.255 any
access-list 100 permit tcp 10.10.1.0 0.0.0.255 any

access-list 110 permit tcp any host 12.x.x.x eq ftp                    
access-list 110 permit tcp any host 12.x.x.x eq ftp-data            
kilfoyAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

nasirshCommented:
You need to make sure that you ftp server has the default-gateway of your router's inside interface. Then give it a try. Further have you bound the access-list 110 to the outside interface of your router.
0
kilfoyAuthor Commented:
the server's default gateway is configured with the routers inside interface IP.  I believe the access-list 110 is configured to the outside interface as other services are working. Here is the rest of the router configuration minus SSL cert and user & password info if you'd like to inspect:

xxxx_1841#show run
Building configuration...

Current configuration : 6760 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
no service dhcp
!
hostname xxx_1841
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 xxxxxxxx
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authentication login sdm_vpn_xauth_ml_2 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
aaa authorization network sdm_vpn_group_ml_2 local
!
aaa session-id common
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
ip name-server 12. x.x.x
ip name-server 12. x.x.x
ip inspect name xxx_FW http
ip inspect name xxx_FW ftp
ip inspect name xxx_FW dns
ip inspect name xxx_FW tcp
ip inspect name xxx_FW udp
ip inspect name xxx_FW tftp
ip inspect name xxx_FW esmtp
ip inspect name xxx_FW ssh
!
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp xauth timeout 15

!
crypto isakmp client configuration group AOS_VPN
 key xxxxxxxx
 dns 10.10.0.5
 domain xxxxx.com
 pool SDM_POOL_2
 acl 101
 netmask 255.255.255.0
!
crypto isakmp client configuration group VPN
 key xxxxxxxx
 pool SDM_POOL_2
 acl 101
 netmask 255.255.255.0
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
 set transform-set ESP-3DES-SHA1
 reverse-route
!
!
crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_2
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_2
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!

interface FastEthernet0/0
 description Connection to 3560 Switch
 ip address 12.x.x.x 255.255.255.248
 ip access-group 110 in
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map SDM_CMAP_1
!
interface FastEthernet0/1
 ip address 10.10.0.254 255.255.252.0
 ip nat inside
 ip inspect Legacy_FW in
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface Serial0/0/0
 description AT&T T1 Internet Connection (xxxxxxxxxx)
 ip address 12.x.x.x 255.255.255.252
 ip access-group 110 in
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 crypto map SDM_CMAP_1
!
ip local pool SDM_POOL_1 172. x.x.x 172.x.x.x
ip local pool SDM_POOL_2 172. x.x.x 172. x.x.x
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0/0
ip route 10.10.100.0 255.255.255.0 10.10.1.70
!
!
no ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map T1 interface Serial0/0/0 overload
ip nat inside source static tcp 10.10.1.2 20 12.x.x.x 20 extendable
ip nat inside source static tcp 10.10.1.2 21 12.x.x.x 21 extendable
ip nat inside source static tcp 10.10.0.10 25 12.x.x.x 25 extendable
ip nat inside source static tcp 10.10.1.2 80 12.x.x.x 80 extendable
ip nat inside source static tcp 10.10.0.10 443 12.x.x.x 443 extendable
!
access-list 100 deny   ip 10.10.100.0 0.0.3.255 172.x.x.x 0.0.0.255
access-list 100 deny   ip 10.10.0.0 0.0.3.255 172.x.x.x 0.0.0.255
access-list 100 deny   ip any 172.x.x.x 0.0.0.255
access-list 100 permit ip 10.10.0.0 0.0.1.255 any
access-list 100 permit ip 10.10.100.0 0.0.0.255 any
access-list 100 permit ip 10.10.1.0 0.0.0.255 any
access-list 100 permit tcp 10.10.1.0 0.0.0.255 any
access-list 101 remark SDM_ACL Category=4
access-list 101 permit ip 10.10.0.0 0.0.3.255 any
access-list 101 permit ip 10.10.100.0 0.0.0.255 any
access-list 110 deny   ip 10.10.0.0 0.0.255.255 any
access-list 110 deny   ip 192.168.0.0 0.0.0.255 any
access-list 110 deny   ip 127.0.0.0 0.255.255.255 any
access-list 110 permit icmp any any echo
access-list 110 permit icmp any any echo-reply
access-list 110 permit icmp any any packet-too-big
access-list 110 permit icmp any any time-exceeded
access-list 110 permit icmp any any traceroute
access-list 110 permit icmp any any unreachable
access-list 110 permit tcp any host 69.x.x.x eq 22
access-list 110 permit udp any any eq non500-isakmp
access-list 110 permit udp any any eq isakmp
access-list 110 permit esp any any
access-list 110 permit ahp any any
access-list 110 permit tcp any host 12.x.x.x eq smtp
access-list 110 permit tcp any host 12.x.x.x eq 443
access-list 110 permit tcp any host 12.x.x.x eq ftp
access-list 110 permit tcp any host 12.x.x.x eq ftp-data
!
route-map T1 permit 10
 match ip address 100
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
 transport input telnet ssh
line vty 5 15
 transport input telnet ssh
!
end
 
0
fritz5150Commented:
I ran into this problem the other day. Good timing. What I found out is the IP inspect ftp was causing the issue. Since we have this host secured, I just removed this from the router, and the FTP started working correctly. I haven't dug into it any further than this due to other projects.
0
The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

nasirshCommented:
Just do this.

Conf t
no ip inspect name xxx_FW ftp

and try again.
0
kilfoyAuthor Commented:
That still didn't work. When I open explorer and browse to the url (or IP) I get a prompt to enter my credentials. It looks like it accepts my credentials and at the bottom on the window it says "Getting contents of folder" then ends up timing out with this error:
"An error occurred opening that FTP folder on the FTP server. Make sure you have permission to access that folder. Details: A connection with the server could not be established"

Any other Ideas?
0
kilfoyAuthor Commented:
I also removed "ip inspect name xxx_FW tftp" and still the same results.
0
kilfoyAuthor Commented:
Issue resolved. I did some testing with an FTP client and turned off the passive ftp option and was able to access the directory without issue from the www. I then disabled that option in IE and it tested ok there as well. Once that change was made it also worked in the folder view in explorer.

Thanks everyone for your effort in helping to get to the bottom of this issue.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Server Software

From novice to tech pro — start learning today.