ozlocal
asked on
Filezilla FTP between 2 sites behind Cisco 878 firewall
Hi,
I am having a problem with a FTP connection between 2 sites. Am using Filezilla client to connect to Filezilla server at main site. Both sites are behind a Cisco 878 firewall router. The client can connect on port 5656, accepts username/password, but fails to get a data connections. See log below on client Filezilla.
Status: Connecting to 125.255.97.6:5656...
Status: Connection established, waiting for welcome message...
Response: 220-FileZilla Server version 0.9.32 beta
Response: 220-written by Tim Kosse (Tim.Kosse@gmx.de)
Response: 220 Please visit http://sourceforge.net/projects/filezilla/
Command: USER *******
Response: 331 Password required for *******
Command: PASS *********
Response: 230 Logged on
Status: Connected
Status: Retrieving directory listing...
Command: PWD
Response: 257 "/" is current directory.
Command: TYPE I
Response: 200 Type set to I
Command: PASV
Response: 227 Entering Passive Mode (125,255,97,6,195,112)
Command: MLSD
Response: 425 Can't open data connection.
Error: Failed to retrieve directory listing
Response: 421 Connection timed out.
Error: Connection closed by server
The Filezilla server is listening on port 5656, and i have got port forwarding on main sites router for port 5656 to go to internal Filezilla server pc. Within Filezilla server passive mode settings, have put in external server IP address, and am using a custom port range from 50000-51000.
I have tried to put in these port ranges into main site Cisco router firewall through SDM, but am still getting same error. Have also tried adding in the command:
access-list 101 permit tcp any host 192.168.10.33 range 50000 51000 (which is the Filezilla server IP) without any luck.
Also, is there any configuring i need to do on the client side Cisco firewall? Both sites have a VPN between them. Any help would be greatly appreciated.
Regards,
sheproc
I am having a problem with a FTP connection between 2 sites. Am using Filezilla client to connect to Filezilla server at main site. Both sites are behind a Cisco 878 firewall router. The client can connect on port 5656, accepts username/password, but fails to get a data connections. See log below on client Filezilla.
Status: Connecting to 125.255.97.6:5656...
Status: Connection established, waiting for welcome message...
Response: 220-FileZilla Server version 0.9.32 beta
Response: 220-written by Tim Kosse (Tim.Kosse@gmx.de)
Response: 220 Please visit http://sourceforge.net/projects/filezilla/
Command: USER *******
Response: 331 Password required for *******
Command: PASS *********
Response: 230 Logged on
Status: Connected
Status: Retrieving directory listing...
Command: PWD
Response: 257 "/" is current directory.
Command: TYPE I
Response: 200 Type set to I
Command: PASV
Response: 227 Entering Passive Mode (125,255,97,6,195,112)
Command: MLSD
Response: 425 Can't open data connection.
Error: Failed to retrieve directory listing
Response: 421 Connection timed out.
Error: Connection closed by server
The Filezilla server is listening on port 5656, and i have got port forwarding on main sites router for port 5656 to go to internal Filezilla server pc. Within Filezilla server passive mode settings, have put in external server IP address, and am using a custom port range from 50000-51000.
I have tried to put in these port ranges into main site Cisco router firewall through SDM, but am still getting same error. Have also tried adding in the command:
access-list 101 permit tcp any host 192.168.10.33 range 50000 51000 (which is the Filezilla server IP) without any luck.
Also, is there any configuring i need to do on the client side Cisco firewall? Both sites have a VPN between them. Any help would be greatly appreciated.
Regards,
sheproc
Running config from main site router:
Building configuration...
Current configuration : 16217 bytes
!
version 12.4
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname JDA-Router
!
boot-start-marker
boot-end-marker
!
logging buffered 52000 debugging
enable secret 5 $1$t5vI$wpuC4CmPH8pDO9fhYsp1x.
!
aaa new-model
!
!
aaa authentication login default enable
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authentication login LOCALUSERS local
aaa authorization network sdm_vpn_group_ml_1 local
!
aaa session-id common
!
resource policy
!
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.99
ip dhcp excluded-address 192.168.1.150 192.168.1.254
ip dhcp excluded-address 192.168.10.1 192.168.10.99
ip dhcp excluded-address 192.168.10.150 192.168.10.254
!
ip dhcp pool CLIENT
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 210.23.129.34 61.8.0.113
netbios-node-type h-node
!
ip dhcp pool Pool
import all
network 192.168.10.0 255.255.255.0
dns-server 61.8.0.113 210.23.129.34
default-router 192.168.10.25
!
!
ip domain name jda.com.au
ip name-server 61.8.0.113
ip name-server 210.23.129.34
ip ssh authentication-retries 5
ip ssh version 2
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW h323callsigalt
ip inspect name SDM_LOW h323gatestat
ip inspect name SDM_LOW skinny
ip inspect name SDM_LOW sip
ip inspect name SDM_LOW sip-tls
ip inspect name SDM_LOW isakmp
ip inspect name SDM_LOW ipsec-msft
ip inspect name VPN microsoft-ds
ip inspect name VPN ms-cluster-net
ip inspect name VPN ms-dotnetster
ip inspect name VPN ms-sna
ip inspect name VPN ms-sql
ip inspect name VPN ms-sql-m
ip inspect name VPN msexch-routing
ip inspect name VPN netbios-dgm
ip inspect name VPN netbios-ssn
ip inspect name VPN r-winsock
ip inspect name VPN clp
ip inspect name VPN cisco-net-mgmt
ip inspect name VPN cisco-sys
ip inspect name VPN cisco-tna
ip inspect name VPN cisco-fna
ip inspect name VPN cisco-tdp
ip inspect name VPN cisco-svcs
ip inspect name VPN stun
ip inspect name VPN tr-rsrb
ip inspect name VPN exec
ip inspect name VPN telnet
ip inspect name VPN telnets
ip inspect name VPN rtelnet
ip inspect name VPN login
ip inspect name VPN rcmd
ip inspect name VPN ssh
ip inspect name VPN shell
ip inspect name VPN sshell
ip inspect name VPN pcanywheredata
ip inspect name VPN pcanywherestat
ip inspect name VPN x11
ip inspect name VPN xdmcp
!
!
crypto pki trustpoint TP-self-signed-807282283
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-807282283
revocation-check none
rsakeypair TP-self-signed-807282283
!
!
crypto pki certificate chain TP-self-signed-807282283
certificate self-signed 01
3082024B 308201B4 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 38303732 38323238 33301E17 0D303230 33313530 39333633
375A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3830 37323832
32383330 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
9819313F E60F14E5 30E08834 807912E5 82D459A8 089106D9 08AB61A1 FA2BBD7C
61782251 FA3A9236 9424C0A2 1231B4AC 4E6B01D3 0E150CE7 B460EE5A 94B6C22E
10CF050E 76E8AD99 49F3AB0F EDF3C896 25F9FEA6 FB12000F D39061E0 ACD0FB01
EB1FCDA1 B2609269 7C902EAB A5C61D69 A8206D0A AD3E6E40 DAB44E64 CEBF17A5
02030100 01A37530 73300F06 03551D13 0101FF04 05300301 01FF3020 0603551D
11041930 1782154A 44412D52 6F757465 722E6A64 612E636F 6D2E6175 301F0603
551D2304 18301680 142DB095 79871311 36F26FFB 82D506DF 504BF605 93301D06
03551D0E 04160414 2DB09579 87131136 F26FFB82 D506DF50 4BF60593 300D0609
2A864886 F70D0101 04050003 81810088 A897CF69 8F4A4623 CC334F31 C4D7BD80
306DC79D 49EAD421 E0D58EB5 D10C164C 3F8D7016 BA54AB9E 70EEE7BC 27426716
54EEE929 ABA25658 2553D566 B76EB9F7 8CB0847C B1C96331 36FF69DF A670E01C
5458CDC5 FDCCCF56 822A8E07 A139985E 9B09DEF2 F46261EE D3753A18 95746CDE
FBC4E1AE 91DF5402 892EADE1 0D7C63
quit
username ************** privilege 15 password 7 0314580E070E315E48
username ************* privilege 15 password 7 060D073514
!
!
controller DSL 0
mode atm
line-term cpe
line-mode 2-wire line-zero
dsl-mode shdsl symmetric annex B
line-rate auto
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key 79f5f9f598 address 125.255.97.70
crypto isakmp key 79f5f9f598 address 125.255.97.58
crypto isakmp key 79F5F9F598 address 125.255.97.46
crypto isakmp key 79f5f9f598 address 125.255.97.66
crypto isakmp key 79F5F9F598 address 125.255.98.86
crypto isakmp keepalive 10 periodic
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA3 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA4 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA5 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA6 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA7 esp-3des esp-sha-hmac
crypto ipsec df-bit clear
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Liverpool VPN tunnel
set peer 125.255.97.70
set transform-set ESP-3DES-SHA
match address 102
crypto map SDM_CMAP_1 2 ipsec-isakmp
set peer 125.255.97.58
set transform-set ESP-3DES-SHA2
match address 104
crypto map SDM_CMAP_1 5 ipsec-isakmp
set peer 125.255.97.46
set transform-set ESP-3DES-SHA
match address 109
crypto map SDM_CMAP_1 6 ipsec-isakmp
set peer 125.255.98.86
set transform-set ESP-3DES-SHA7
match address 111
!
bridge irb
!
!
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
!
interface ATM0
description Nextep SHDSL
no ip address
atm ilmi-keepalive
pvc 0/33
encapsulation aal5snap
!
pvc 1/32
encapsulation aal5snap
!
bridge-group 1
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
description $FW_INSIDE$
ip address 192.168.10.25 255.255.255.0
ip access-group 100 in
ip nat inside
ip virtual-reassembly
!
interface BVI1
description $FW_OUTSIDE$
ip address 125.255.97.6 255.255.255.252
ip access-group 101 in
ip verify unicast reverse-path
ip nat outside
ip inspect SDM_LOW out
ip virtual-reassembly
crypto map SDM_CMAP_1
!
ip local pool SDM_POOL_1 192.168.10.150 192.168.10.199
ip route 0.0.0.0 0.0.0.0 BVI1
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat inside source static tcp 192.168.10.33 4000 interface BVI1 4000
ip nat inside source static tcp 192.168.10.202 3456 interface BVI1 3456
ip nat inside source static tcp 192.168.10.60 3434 interface BVI1 3434
ip nat inside source static tcp 192.168.10.30 4444 interface BVI1 4444
ip nat inside source route-map SDM_RMAP_1 interface BVI1 overload
ip nat inside source static tcp 192.168.10.119 3389 interface BVI1 3389
ip nat inside source static tcp 192.168.10.119 6502 interface BVI1 6502
ip nat inside source static tcp 192.168.10.144 3399 interface BVI1 3399
ip nat inside source static tcp 192.168.10.33 5656 interface BVI1 5656
ip nat inside source static tcp 192.168.10.33 50000 interface BVI1 50000
ip nat inside source static tcp 192.168.10.14 20 125.255.97.6 20 extendable
ip nat inside source static tcp 192.168.10.14 21 125.255.97.6 21 extendable
ip nat inside source static udp 192.168.10.14 69 125.255.97.6 69 extendable
ip nat inside source static tcp 192.168.10.14 3333 125.255.97.6 3333 extendable
ip nat inside source static tcp 192.168.10.251 3390 125.255.97.6 3390 extendable
ip nat inside source static tcp 192.168.10.252 3391 125.255.97.6 3391 extendable
ip nat inside source static tcp 192.168.10.253 3392 125.255.97.6 3392 extendable
!
access-list 1 remark SDM_ACL Category=16
access-list 1 permit 192.168.0.0 0.0.255.255
access-list 10 permit 61.8.0.68
access-list 10 permit 61.8.0.70
access-list 10 permit 61.8.0.67
access-list 10 permit 125.255.97.5
access-list 10 permit 192.168.0.0 0.0.255.255
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 permit ip 125.255.97.4 0.0.0.3 any
access-list 100 permit tcp any any eq ftp
access-list 100 remark Inbound, Vlan, to deny spoofing
access-list 100 deny ip host 255.255.255.255 any
access-list 100 remark Inbound, Vlan, deny broadcast local loopback
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 remark Inbound, Vlan, permit all other traffic
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 remark IPSec Rule
access-list 101 permit ip 192.168.8.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 101 permit udp host 125.255.98.86 host 125.255.97.6 eq non500-isakmp
access-list 101 permit udp host 125.255.98.86 host 125.255.97.6 eq isakmp
access-list 101 permit esp host 125.255.98.86 host 125.255.97.6
access-list 101 permit ahp host 125.255.98.86 host 125.255.97.6
access-list 101 remark IPSec Rule CharlieChans
access-list 101 permit ip 192.168.4.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 101 remark CharlieChans VPN
access-list 101 permit udp host 125.255.97.46 host 125.255.97.6 eq non500-isakmp
access-list 101 remark CharlieChans VPN
access-list 101 permit udp host 125.255.97.46 host 125.255.97.6 eq isakmp
access-list 101 remark CharlieChans VPN
access-list 101 permit esp host 125.255.97.46 host 125.255.97.6
access-list 101 remark CharlieChans VPN
access-list 101 permit ahp host 125.255.97.46 host 125.255.97.6
access-list 101 remark IPSec Rule Allawah
access-list 101 permit ip 192.168.0.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 101 remark Allawah VPN
access-list 101 permit udp host 125.255.97.58 host 125.255.97.6 eq non500-isakmp
access-list 101 remark Allawah VPN
access-list 101 permit udp host 125.255.97.58 host 125.255.97.6 eq isakmp
access-list 101 remark Allawah VPN
access-list 101 permit esp host 125.255.97.58 host 125.255.97.6
access-list 101 remark Allawah VPN
access-list 101 permit ahp host 125.255.97.58 host 125.255.97.6
access-list 101 remark IPSec Rule Legends
access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 101 remark Legends VPN
access-list 101 permit udp host 125.255.97.70 host 125.255.97.6 eq non500-isakmp
access-list 101 remark Legends VPN
access-list 101 permit udp host 125.255.97.70 host 125.255.97.6 eq isakmp
access-list 101 remark Legends VPN
access-list 101 permit esp host 125.255.97.70 host 125.255.97.6
access-list 101 remark Legends VPN
access-list 101 permit ahp host 125.255.97.70 host 125.255.97.6
access-list 101 remark ServerRDP
access-list 101 permit tcp any host 125.255.97.6 eq 3333
access-list 101 remark JohnRDP
access-list 101 permit tcp any host 125.255.97.6 eq 3390
access-list 101 remark DeanRDP
access-list 101 permit tcp any host 125.255.97.6 eq 3391
access-list 101 remark Abbey RDP
access-list 101 permit tcp any host 125.255.97.6 eq 3392
access-list 101 remark BePOZ server
access-list 101 permit tcp any host 125.255.97.6 eq 3389
access-list 101 remark BePOZ
access-list 101 permit tcp any host 125.255.97.6 eq 6502
access-list 101 remark Terminal server RDP
access-list 101 permit tcp any host 125.255.97.6 eq 4444
access-list 101 remark StaceRDP
access-list 101 permit tcp any host 125.255.97.6 eq 3434
access-list 101 remark DebraRDP
access-list 101 permit tcp any host 125.255.97.6 eq 3456
access-list 101 remark SBS2008RDP
access-list 101 permit tcp any host 125.255.97.6 eq 4000
access-list 101 remark SandraRDP
access-list 101 permit tcp any host 125.255.97.6 eq 3399
access-list 101 remark FileZillaFTP
access-list 101 permit tcp any host 125.255.97.6 eq 5656
access-list 101 remark PING
access-list 101 permit tcp any eq echo any eq echo
access-list 101 remark PING
access-list 101 permit icmp any any
access-list 101 remark FTP
access-list 101 permit tcp any any eq ftp
access-list 101 remark DNS resolution
access-list 101 permit udp any eq domain any eq domain
access-list 101 remark DNS
access-list 101 permit ip host 210.23.129.34 host 125.255.97.6
access-list 101 remark DNS
access-list 101 permit ip host 61.8.0.113 host 125.255.97.6
access-list 101 remark Prevent broadcasts
access-list 101 deny ip 192.168.10.0 0.0.0.255 any
access-list 101 remark PING
access-list 101 permit icmp any host 125.255.97.6 echo-reply
access-list 101 remark PING
access-list 101 permit icmp any host 125.255.97.6 time-exceeded
access-list 101 remark TFTP
access-list 101 permit udp any eq tftp any eq tftp
access-list 101 permit tcp any host 125.255.97.6 eq 443
access-list 101 permit tcp any host 125.255.97.6 eq 22
access-list 101 permit tcp any host 125.255.97.6 eq cmd
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any log
access-list 101 permit tcp any host 192.168.10.33 range 50000 51000
access-list 102 remark SDM_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 192.168.10.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 103 remark SDM_ACL Category=2
access-list 103 remark IPSec Rule
access-list 103 deny ip 192.168.10.0 0.0.0.255 192.168.8.0 0.0.0.255
access-list 103 remark IPSec Rule
access-list 103 deny ip 192.168.10.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 103 remark IPSec Rule
access-list 103 deny ip 192.168.10.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 103 remark IPSec Rule
access-list 103 deny ip 192.168.10.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 103 permit ip 192.168.0.0 0.0.255.255 any
access-list 104 remark SDM_ACL Category=4
access-list 104 remark IPSec Rule
access-list 104 permit ip 192.168.10.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 105 remark SDM_ACL Category=4
access-list 105 remark IPSec Rule
access-list 105 permit ip 192.168.10.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 106 remark SDM_ACL Category=4
access-list 106 remark IPSec Rule
access-list 106 permit ip 192.168.10.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 107 remark SDM_ACL Category=4
access-list 107 remark IPSec Rule
access-list 107 permit ip 192.168.10.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 108 remark SDM_ACL Category=4
access-list 108 remark IPSec Rule
access-list 108 permit ip 192.168.10.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 109 remark SDM_ACL Category=4
access-list 109 remark IPSec Rule
access-list 109 permit ip 192.168.10.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 110 remark SDM_ACL Category=4
access-list 110 remark IPSec Rule
access-list 110 permit ip 192.168.10.0 0.0.0.255 192.168.8.0 0.0.0.255
access-list 111 remark SDM_ACL Category=4
access-list 111 remark IPSec Rule
access-list 111 permit ip 192.168.10.0 0.0.0.255 192.168.8.0 0.0.0.255
!
!
!
route-map SDM_RMAP_1 permit 1
match ip address 103
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
!
line con 0
exec-timeout 120 0
login authentication LOCALUSERS
no modem enable
no exec
transport output ssh
stopbits 1
line aux 0
transport output all
line vty 0 4
access-class 10 in
exec-timeout 0 0
privilege level 15
length 0
transport input telnet
transport output all
!
scheduler max-task-time 5000
end
ASKER
Hi KeremE,
I have inputted those commands (I used permit tcp any any range 20 21) as it would not let me have range without 2nd port. Copied running-config to startup and reload > try to connect with client and still get the same error message: 425 Can't open data connection
Regards,
sheproc
I have inputted those commands (I used permit tcp any any range 20 21) as it would not let me have range without 2nd port. Copied running-config to startup and reload > try to connect with client and still get the same error message: 425 Can't open data connection
Regards,
sheproc
21 is only for Active FTP but it requires the connecitons to other end. you could have used "20 20" instead.
Oopps sorry will you change all my port 20 specifications for all ports with your port of 5656 ?
Oopps sorry will you change all my port 20 specifications for all ports with your port of 5656 ?
ASKER
Hi KeremE,
i have done the changes as suggested above but am still getting same error:
Status: Connecting to 125.255.97.6:5656...
Status: Connection established, waiting for welcome message...
Response: 220-FileZilla Server version 0.9.32 beta
Response: 220-written by Tim Kosse (Tim.Kosse@gmx.de)
Response: 220 Please visit http://sourceforge.net/projects/filezilla/
Command: USER *******
Response: 331 Password required for *******
Command: PASS *********
Response: 230 Logged on
Status: Connected
Status: Retrieving directory listing...
Command: PWD
Response: 257 "/" is current directory.
Command: TYPE I
Response: 200 Type set to I
Command: PASV
Response: 227 Entering Passive Mode (125,255,97,6,195,122)
Command: MLSD
Response: 425 Can't open data connection.
Error: Failed to retrieve directory listing
Status: Disconnected from server
Status: Connecting to 125.255.97.6:5656...
Status: Connection established, waiting for welcome message...
Response: 220-FileZilla Server version 0.9.32 beta
Response: 220-written by Tim Kosse (Tim.Kosse@gmx.de)
Response: 220 Please visit http://sourceforge.net/projects/filezilla/
Command: USER *******
Response: 331 Password required for *******
Command: PASS *********
Response: 230 Logged on
Status: Connected
Status: Retrieving directory listing...
Command: PWD
Response: 257 "/" is current directory.
Command: TYPE I
Response: 200 Type set to I
Command: PASV
Response: 227 Entering Passive Mode (125,255,97,6,195,123)
Command: MLSD
Response: 425 Can't open data connection.
Error: Failed to retrieve directory listing
i have attached file of running-config.txt of router in case there are some other commands i need to remove or add to/from the router
Regards,
sheproc
running-config.txt
i have done the changes as suggested above but am still getting same error:
Status: Connecting to 125.255.97.6:5656...
Status: Connection established, waiting for welcome message...
Response: 220-FileZilla Server version 0.9.32 beta
Response: 220-written by Tim Kosse (Tim.Kosse@gmx.de)
Response: 220 Please visit http://sourceforge.net/projects/filezilla/
Command: USER *******
Response: 331 Password required for *******
Command: PASS *********
Response: 230 Logged on
Status: Connected
Status: Retrieving directory listing...
Command: PWD
Response: 257 "/" is current directory.
Command: TYPE I
Response: 200 Type set to I
Command: PASV
Response: 227 Entering Passive Mode (125,255,97,6,195,122)
Command: MLSD
Response: 425 Can't open data connection.
Error: Failed to retrieve directory listing
Status: Disconnected from server
Status: Connecting to 125.255.97.6:5656...
Status: Connection established, waiting for welcome message...
Response: 220-FileZilla Server version 0.9.32 beta
Response: 220-written by Tim Kosse (Tim.Kosse@gmx.de)
Response: 220 Please visit http://sourceforge.net/projects/filezilla/
Command: USER *******
Response: 331 Password required for *******
Command: PASS *********
Response: 230 Logged on
Status: Connected
Status: Retrieving directory listing...
Command: PWD
Response: 257 "/" is current directory.
Command: TYPE I
Response: 200 Type set to I
Command: PASV
Response: 227 Entering Passive Mode (125,255,97,6,195,123)
Command: MLSD
Response: 425 Can't open data connection.
Error: Failed to retrieve directory listing
i have attached file of running-config.txt of router in case there are some other commands i need to remove or add to/from the router
Regards,
sheproc
running-config.txt
You might try configuring an inspection rule for FTP traffic. Although you would have to change you configuration to listen for FTP on the standard RFC ports instead of 5656 (TCP 20 & 21)
I am quoting some text from:
http://www.cisco.com/en/US/docs/routers/access/800/850/software/configuration/guide/firewall.html#wp999748
Configure Inspection Rules:
Perform these steps to configure firewall inspection rules for all TCP and UDP traffic, as well as specific application protocols as defined by the security policy, beginning in global configuration mode:
ip inspect name inspection-name protocol
Example:
Router(config)# ip inspect name firewall ftp
I am quoting some text from:
http://www.cisco.com/en/US/docs/routers/access/800/850/software/configuration/guide/firewall.html#wp999748
Configure Inspection Rules:
Perform these steps to configure firewall inspection rules for all TCP and UDP traffic, as well as specific application protocols as defined by the security policy, beginning in global configuration mode:
ip inspect name inspection-name protocol
Example:
Router(config)# ip inspect name firewall ftp
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
First of all you need to allow ftp data from ant port greater than 1023 to ftp. Then you need NAT to use port50000 nad 51000. In your defintiion it will just allow them wihout NAT. Don2t forget that they are not accessing your internal host they are accessing to your reverse nattted server through your external interface. This is why tour command does not work.
To get it worked you need 3 things:
access-list 100 permit tcp any gt 1023 host x.x.x.x eq ftp ( x.x.x.x is your public IP)
access-list 100 permit tcp any gt 1023 host x.x.x.x range 50000 51000
Then you need some definitions for your NAT:
ip access-list extended PASSIVEACL
remark Standard FTP Data and Comms
permit tcp any any range 20
remark Passive Ports
permit tcp any any range 50000 51000
And allow this rule by Reverse NAT
ip nat pool PASSIVEFTP 192.168.10.33 192.168.10.33 netmask 255.255.255.0 type rotary
ip nat inside destination list PASSIVEACL pool PASSIVEFTP
Cheers,
K.