Solved

Filezilla FTP between 2 sites behind Cisco 878 firewall

Posted on 2009-07-13
6
2,112 Views
Last Modified: 2013-12-09
Hi,
I am having a problem with a FTP connection between 2 sites. Am using Filezilla client to connect to Filezilla server at main site. Both sites are behind a Cisco 878 firewall router. The client can connect on port 5656, accepts username/password, but fails to get a data connections. See log below on client Filezilla.
Status:      Connecting to 125.255.97.6:5656...
Status:      Connection established, waiting for welcome message...
Response:      220-FileZilla Server version 0.9.32 beta
Response:      220-written by Tim Kosse (Tim.Kosse@gmx.de)
Response:      220 Please visit http://sourceforge.net/projects/filezilla/
Command:      USER *******
Response:      331 Password required for *******
Command:      PASS *********
Response:      230 Logged on
Status:      Connected
Status:      Retrieving directory listing...
Command:      PWD
Response:      257 "/" is current directory.
Command:      TYPE I
Response:      200 Type set to I
Command:      PASV
Response:      227 Entering Passive Mode (125,255,97,6,195,112)
Command:      MLSD
Response:      425 Can't open data connection.
Error:      Failed to retrieve directory listing
Response:      421 Connection timed out.
Error:      Connection closed by server
The Filezilla server is listening on port 5656, and i have got port forwarding on main sites router for port 5656 to go to internal Filezilla server pc. Within Filezilla server passive mode settings, have put in external server IP address, and am using a custom port range from 50000-51000.
I have tried to put in these port ranges into main site Cisco router firewall through SDM, but am still getting same error. Have also tried adding in the command:
access-list 101 permit tcp any host 192.168.10.33 range 50000 51000 (which is the Filezilla server IP) without any luck.
Also, is there any configuring i need to do on the client side Cisco firewall? Both sites have a VPN between them. Any help would be greatly appreciated.
Regards,
sheproc
Running config from main site router:

Building configuration...
 

Current configuration : 16217 bytes

!

version 12.4

no service pad

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname JDA-Router

!

boot-start-marker

boot-end-marker

!

logging buffered 52000 debugging

enable secret 5 $1$t5vI$wpuC4CmPH8pDO9fhYsp1x.

!

aaa new-model

!

!

aaa authentication login default enable

aaa authentication login sdm_vpn_xauth_ml_1 local

aaa authentication login LOCALUSERS local

aaa authorization network sdm_vpn_group_ml_1 local 

!

aaa session-id common

!

resource policy

!

ip cef

!

!

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.1.1 192.168.1.99

ip dhcp excluded-address 192.168.1.150 192.168.1.254

ip dhcp excluded-address 192.168.10.1 192.168.10.99

ip dhcp excluded-address 192.168.10.150 192.168.10.254

!

ip dhcp pool CLIENT

   network 192.168.1.0 255.255.255.0

   default-router 192.168.1.1 

   dns-server 210.23.129.34 61.8.0.113 

   netbios-node-type h-node

!

ip dhcp pool Pool

   import all

   network 192.168.10.0 255.255.255.0

   dns-server 61.8.0.113 210.23.129.34 

   default-router 192.168.10.25 

!

!

ip domain name jda.com.au

ip name-server 61.8.0.113

ip name-server 210.23.129.34

ip ssh authentication-retries 5

ip ssh version 2

ip inspect name SDM_LOW cuseeme

ip inspect name SDM_LOW dns

ip inspect name SDM_LOW h323

ip inspect name SDM_LOW https

ip inspect name SDM_LOW icmp

ip inspect name SDM_LOW imap

ip inspect name SDM_LOW pop3

ip inspect name SDM_LOW netshow

ip inspect name SDM_LOW rcmd

ip inspect name SDM_LOW realaudio

ip inspect name SDM_LOW rtsp

ip inspect name SDM_LOW esmtp

ip inspect name SDM_LOW sqlnet

ip inspect name SDM_LOW streamworks

ip inspect name SDM_LOW tcp

ip inspect name SDM_LOW udp

ip inspect name SDM_LOW vdolive

ip inspect name SDM_LOW ftp

ip inspect name SDM_LOW tftp

ip inspect name SDM_LOW h323callsigalt

ip inspect name SDM_LOW h323gatestat

ip inspect name SDM_LOW skinny

ip inspect name SDM_LOW sip

ip inspect name SDM_LOW sip-tls

ip inspect name SDM_LOW isakmp

ip inspect name SDM_LOW ipsec-msft

ip inspect name VPN microsoft-ds

ip inspect name VPN ms-cluster-net

ip inspect name VPN ms-dotnetster

ip inspect name VPN ms-sna

ip inspect name VPN ms-sql

ip inspect name VPN ms-sql-m

ip inspect name VPN msexch-routing

ip inspect name VPN netbios-dgm

ip inspect name VPN netbios-ssn

ip inspect name VPN r-winsock

ip inspect name VPN clp

ip inspect name VPN cisco-net-mgmt

ip inspect name VPN cisco-sys

ip inspect name VPN cisco-tna

ip inspect name VPN cisco-fna

ip inspect name VPN cisco-tdp

ip inspect name VPN cisco-svcs

ip inspect name VPN stun

ip inspect name VPN tr-rsrb

ip inspect name VPN exec

ip inspect name VPN telnet

ip inspect name VPN telnets

ip inspect name VPN rtelnet

ip inspect name VPN login

ip inspect name VPN rcmd

ip inspect name VPN ssh

ip inspect name VPN shell

ip inspect name VPN sshell

ip inspect name VPN pcanywheredata

ip inspect name VPN pcanywherestat

ip inspect name VPN x11

ip inspect name VPN xdmcp

!

!

crypto pki trustpoint TP-self-signed-807282283

 enrollment selfsigned

 subject-name cn=IOS-Self-Signed-Certificate-807282283

 revocation-check none

 rsakeypair TP-self-signed-807282283

!

!

crypto pki certificate chain TP-self-signed-807282283

 certificate self-signed 01

  3082024B 308201B4 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 

  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274 

  69666963 6174652D 38303732 38323238 33301E17 0D303230 33313530 39333633 

  375A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F 

  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3830 37323832 

  32383330 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100 

  9819313F E60F14E5 30E08834 807912E5 82D459A8 089106D9 08AB61A1 FA2BBD7C 

  61782251 FA3A9236 9424C0A2 1231B4AC 4E6B01D3 0E150CE7 B460EE5A 94B6C22E 

  10CF050E 76E8AD99 49F3AB0F EDF3C896 25F9FEA6 FB12000F D39061E0 ACD0FB01 

  EB1FCDA1 B2609269 7C902EAB A5C61D69 A8206D0A AD3E6E40 DAB44E64 CEBF17A5 

  02030100 01A37530 73300F06 03551D13 0101FF04 05300301 01FF3020 0603551D 

  11041930 1782154A 44412D52 6F757465 722E6A64 612E636F 6D2E6175 301F0603 

  551D2304 18301680 142DB095 79871311 36F26FFB 82D506DF 504BF605 93301D06 

  03551D0E 04160414 2DB09579 87131136 F26FFB82 D506DF50 4BF60593 300D0609 

  2A864886 F70D0101 04050003 81810088 A897CF69 8F4A4623 CC334F31 C4D7BD80 

  306DC79D 49EAD421 E0D58EB5 D10C164C 3F8D7016 BA54AB9E 70EEE7BC 27426716 

  54EEE929 ABA25658 2553D566 B76EB9F7 8CB0847C B1C96331 36FF69DF A670E01C 

  5458CDC5 FDCCCF56 822A8E07 A139985E 9B09DEF2 F46261EE D3753A18 95746CDE 

  FBC4E1AE 91DF5402 892EADE1 0D7C63

  quit

username ************** privilege 15 password 7 0314580E070E315E48

username ************* privilege 15 password 7 060D073514

!

!

controller DSL 0

 mode atm

 line-term cpe

 line-mode 2-wire line-zero

 dsl-mode shdsl symmetric annex B

 line-rate auto

! 

!

crypto isakmp policy 1

 encr 3des

 authentication pre-share

 group 2

crypto isakmp key 79f5f9f598 address 125.255.97.70

crypto isakmp key 79f5f9f598 address 125.255.97.58

crypto isakmp key 79F5F9F598 address 125.255.97.46

crypto isakmp key 79f5f9f598 address 125.255.97.66

crypto isakmp key 79F5F9F598 address 125.255.98.86

crypto isakmp keepalive 10 periodic

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 

crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac 

crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac 

crypto ipsec transform-set ESP-3DES-SHA3 esp-3des esp-sha-hmac 

crypto ipsec transform-set ESP-3DES-SHA4 esp-3des esp-sha-hmac 

crypto ipsec transform-set ESP-3DES-SHA5 esp-3des esp-sha-hmac 

crypto ipsec transform-set ESP-3DES-SHA6 esp-3des esp-sha-hmac 

crypto ipsec transform-set ESP-3DES-SHA7 esp-3des esp-sha-hmac 

crypto ipsec df-bit clear

!

crypto map SDM_CMAP_1 1 ipsec-isakmp 

 description Liverpool VPN tunnel

 set peer 125.255.97.70

 set transform-set ESP-3DES-SHA 

 match address 102

crypto map SDM_CMAP_1 2 ipsec-isakmp 

 set peer 125.255.97.58

 set transform-set ESP-3DES-SHA2 

 match address 104

crypto map SDM_CMAP_1 5 ipsec-isakmp 

 set peer 125.255.97.46

 set transform-set ESP-3DES-SHA 

 match address 109

crypto map SDM_CMAP_1 6 ipsec-isakmp 

 set peer 125.255.98.86

 set transform-set ESP-3DES-SHA7 

 match address 111

!

bridge irb

!

!

!

interface BRI0

 no ip address

 encapsulation hdlc

 shutdown

!

interface ATM0

 description Nextep SHDSL

 no ip address

 atm ilmi-keepalive

 pvc 0/33 

  encapsulation aal5snap

 !

 pvc 1/32 

  encapsulation aal5snap

 !

 bridge-group 1

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface Vlan1

 description $FW_INSIDE$

 ip address 192.168.10.25 255.255.255.0

 ip access-group 100 in

 ip nat inside

 ip virtual-reassembly

!

interface BVI1

 description $FW_OUTSIDE$

 ip address 125.255.97.6 255.255.255.252

 ip access-group 101 in

 ip verify unicast reverse-path

 ip nat outside

 ip inspect SDM_LOW out

 ip virtual-reassembly

 crypto map SDM_CMAP_1

!

ip local pool SDM_POOL_1 192.168.10.150 192.168.10.199

ip route 0.0.0.0 0.0.0.0 BVI1

!

!

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 600 life 86400 requests 10000

ip nat inside source static tcp 192.168.10.33 4000 interface BVI1 4000

ip nat inside source static tcp 192.168.10.202 3456 interface BVI1 3456

ip nat inside source static tcp 192.168.10.60 3434 interface BVI1 3434

ip nat inside source static tcp 192.168.10.30 4444 interface BVI1 4444

ip nat inside source route-map SDM_RMAP_1 interface BVI1 overload

ip nat inside source static tcp 192.168.10.119 3389 interface BVI1 3389

ip nat inside source static tcp 192.168.10.119 6502 interface BVI1 6502

ip nat inside source static tcp 192.168.10.144 3399 interface BVI1 3399

ip nat inside source static tcp 192.168.10.33 5656 interface BVI1 5656

ip nat inside source static tcp 192.168.10.33 50000 interface BVI1 50000

ip nat inside source static tcp 192.168.10.14 20 125.255.97.6 20 extendable

ip nat inside source static tcp 192.168.10.14 21 125.255.97.6 21 extendable

ip nat inside source static udp 192.168.10.14 69 125.255.97.6 69 extendable

ip nat inside source static tcp 192.168.10.14 3333 125.255.97.6 3333 extendable

ip nat inside source static tcp 192.168.10.251 3390 125.255.97.6 3390 extendable

ip nat inside source static tcp 192.168.10.252 3391 125.255.97.6 3391 extendable

ip nat inside source static tcp 192.168.10.253 3392 125.255.97.6 3392 extendable

!

access-list 1 remark SDM_ACL Category=16

access-list 1 permit 192.168.0.0 0.0.255.255

access-list 10 permit 61.8.0.68

access-list 10 permit 61.8.0.70

access-list 10 permit 61.8.0.67

access-list 10 permit 125.255.97.5

access-list 10 permit 192.168.0.0 0.0.255.255

access-list 100 remark auto generated by SDM firewall configuration

access-list 100 remark SDM_ACL Category=1

access-list 100 permit ip 125.255.97.4 0.0.0.3 any

access-list 100 permit tcp any any eq ftp

access-list 100 remark Inbound, Vlan, to deny spoofing

access-list 100 deny   ip host 255.255.255.255 any

access-list 100 remark Inbound, Vlan, deny broadcast local loopback

access-list 100 deny   ip 127.0.0.0 0.255.255.255 any

access-list 100 remark Inbound, Vlan, permit all other traffic

access-list 100 permit ip any any

access-list 101 remark auto generated by SDM firewall configuration

access-list 101 remark SDM_ACL Category=1

access-list 101 remark IPSec Rule

access-list 101 permit ip 192.168.8.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 101 permit udp host 125.255.98.86 host 125.255.97.6 eq non500-isakmp

access-list 101 permit udp host 125.255.98.86 host 125.255.97.6 eq isakmp

access-list 101 permit esp host 125.255.98.86 host 125.255.97.6

access-list 101 permit ahp host 125.255.98.86 host 125.255.97.6

access-list 101 remark IPSec Rule CharlieChans

access-list 101 permit ip 192.168.4.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 101 remark CharlieChans VPN

access-list 101 permit udp host 125.255.97.46 host 125.255.97.6 eq non500-isakmp

access-list 101 remark CharlieChans VPN

access-list 101 permit udp host 125.255.97.46 host 125.255.97.6 eq isakmp

access-list 101 remark CharlieChans VPN

access-list 101 permit esp host 125.255.97.46 host 125.255.97.6

access-list 101 remark CharlieChans VPN

access-list 101 permit ahp host 125.255.97.46 host 125.255.97.6

access-list 101 remark IPSec Rule Allawah

access-list 101 permit ip 192.168.0.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 101 remark Allawah VPN

access-list 101 permit udp host 125.255.97.58 host 125.255.97.6 eq non500-isakmp

access-list 101 remark Allawah VPN

access-list 101 permit udp host 125.255.97.58 host 125.255.97.6 eq isakmp

access-list 101 remark Allawah VPN

access-list 101 permit esp host 125.255.97.58 host 125.255.97.6

access-list 101 remark Allawah VPN

access-list 101 permit ahp host 125.255.97.58 host 125.255.97.6

access-list 101 remark IPSec Rule Legends

access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 101 remark Legends VPN

access-list 101 permit udp host 125.255.97.70 host 125.255.97.6 eq non500-isakmp

access-list 101 remark Legends VPN

access-list 101 permit udp host 125.255.97.70 host 125.255.97.6 eq isakmp

access-list 101 remark Legends VPN

access-list 101 permit esp host 125.255.97.70 host 125.255.97.6

access-list 101 remark Legends VPN

access-list 101 permit ahp host 125.255.97.70 host 125.255.97.6

access-list 101 remark ServerRDP

access-list 101 permit tcp any host 125.255.97.6 eq 3333

access-list 101 remark JohnRDP

access-list 101 permit tcp any host 125.255.97.6 eq 3390

access-list 101 remark DeanRDP

access-list 101 permit tcp any host 125.255.97.6 eq 3391

access-list 101 remark Abbey RDP

access-list 101 permit tcp any host 125.255.97.6 eq 3392

access-list 101 remark BePOZ server

access-list 101 permit tcp any host 125.255.97.6 eq 3389

access-list 101 remark BePOZ

access-list 101 permit tcp any host 125.255.97.6 eq 6502

access-list 101 remark Terminal server RDP

access-list 101 permit tcp any host 125.255.97.6 eq 4444

access-list 101 remark StaceRDP

access-list 101 permit tcp any host 125.255.97.6 eq 3434

access-list 101 remark DebraRDP

access-list 101 permit tcp any host 125.255.97.6 eq 3456

access-list 101 remark SBS2008RDP

access-list 101 permit tcp any host 125.255.97.6 eq 4000

access-list 101 remark SandraRDP

access-list 101 permit tcp any host 125.255.97.6 eq 3399

access-list 101 remark FileZillaFTP

access-list 101 permit tcp any host 125.255.97.6 eq 5656

access-list 101 remark PING

access-list 101 permit tcp any eq echo any eq echo

access-list 101 remark PING

access-list 101 permit icmp any any

access-list 101 remark FTP

access-list 101 permit tcp any any eq ftp

access-list 101 remark DNS resolution

access-list 101 permit udp any eq domain any eq domain

access-list 101 remark DNS

access-list 101 permit ip host 210.23.129.34 host 125.255.97.6

access-list 101 remark DNS

access-list 101 permit ip host 61.8.0.113 host 125.255.97.6

access-list 101 remark Prevent broadcasts

access-list 101 deny   ip 192.168.10.0 0.0.0.255 any

access-list 101 remark PING

access-list 101 permit icmp any host 125.255.97.6 echo-reply

access-list 101 remark PING

access-list 101 permit icmp any host 125.255.97.6 time-exceeded

access-list 101 remark TFTP

access-list 101 permit udp any eq tftp any eq tftp

access-list 101 permit tcp any host 125.255.97.6 eq 443

access-list 101 permit tcp any host 125.255.97.6 eq 22

access-list 101 permit tcp any host 125.255.97.6 eq cmd

access-list 101 deny   ip 10.0.0.0 0.255.255.255 any

access-list 101 deny   ip 172.16.0.0 0.15.255.255 any

access-list 101 deny   ip 127.0.0.0 0.255.255.255 any

access-list 101 deny   ip host 255.255.255.255 any

access-list 101 deny   ip host 0.0.0.0 any

access-list 101 deny   ip any any log

access-list 101 permit tcp any host 192.168.10.33 range 50000 51000

access-list 102 remark SDM_ACL Category=4

access-list 102 remark IPSec Rule

access-list 102 permit ip 192.168.10.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 103 remark SDM_ACL Category=2

access-list 103 remark IPSec Rule

access-list 103 deny   ip 192.168.10.0 0.0.0.255 192.168.8.0 0.0.0.255

access-list 103 remark IPSec Rule

access-list 103 deny   ip 192.168.10.0 0.0.0.255 192.168.4.0 0.0.0.255

access-list 103 remark IPSec Rule

access-list 103 deny   ip 192.168.10.0 0.0.0.255 192.168.0.0 0.0.0.255

access-list 103 remark IPSec Rule

access-list 103 deny   ip 192.168.10.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 103 permit ip 192.168.0.0 0.0.255.255 any

access-list 104 remark SDM_ACL Category=4

access-list 104 remark IPSec Rule

access-list 104 permit ip 192.168.10.0 0.0.0.255 192.168.0.0 0.0.0.255

access-list 105 remark SDM_ACL Category=4

access-list 105 remark IPSec Rule

access-list 105 permit ip 192.168.10.0 0.0.0.255 192.168.4.0 0.0.0.255

access-list 106 remark SDM_ACL Category=4

access-list 106 remark IPSec Rule

access-list 106 permit ip 192.168.10.0 0.0.0.255 192.168.5.0 0.0.0.255

access-list 107 remark SDM_ACL Category=4

access-list 107 remark IPSec Rule

access-list 107 permit ip 192.168.10.0 0.0.0.255 192.168.4.0 0.0.0.255

access-list 108 remark SDM_ACL Category=4

access-list 108 remark IPSec Rule

access-list 108 permit ip 192.168.10.0 0.0.0.255 192.168.4.0 0.0.0.255

access-list 109 remark SDM_ACL Category=4

access-list 109 remark IPSec Rule

access-list 109 permit ip 192.168.10.0 0.0.0.255 192.168.4.0 0.0.0.255

access-list 110 remark SDM_ACL Category=4

access-list 110 remark IPSec Rule

access-list 110 permit ip 192.168.10.0 0.0.0.255 192.168.8.0 0.0.0.255

access-list 111 remark SDM_ACL Category=4

access-list 111 remark IPSec Rule

access-list 111 permit ip 192.168.10.0 0.0.0.255 192.168.8.0 0.0.0.255

!

!

!

route-map SDM_RMAP_1 permit 1

 match ip address 103

!

!

control-plane

!

bridge 1 protocol ieee

bridge 1 route ip

!

line con 0

 exec-timeout 120 0

 login authentication LOCALUSERS

 no modem enable

 no exec

 transport output ssh

 stopbits 1

line aux 0

 transport output all

line vty 0 4

 access-class 10 in

 exec-timeout 0 0

 privilege level 15

 length 0

 transport input telnet

 transport output all

!

scheduler max-task-time 5000

end

Open in new window

0
Comment
Question by:ozlocal
  • 3
  • 2
6 Comments
 
LVL 30

Expert Comment

by:Kerem ERSOY
ID: 24846167
Hi,

First of all you need to allow ftp data from ant port greater than 1023 to ftp. Then you need NAT to use port50000 nad 51000. In your defintiion it will just allow them wihout NAT. Don2t forget that they are not accessing your internal host they are accessing to your reverse nattted server through your external interface. This is why tour command does not work.
To get it worked you need 3 things:

access-list 100 permit tcp any gt 1023 host x.x.x.x eq ftp    ( x.x.x.x is your public IP)
access-list 100 permit tcp any gt 1023 host x.x.x.x range 50000 51000

Then you need some definitions for your NAT:

ip access-list extended PASSIVEACL
remark Standard FTP Data and Comms
permit tcp any any range 20
remark Passive Ports
permit tcp any any range 50000 51000

And allow this rule by Reverse NAT

ip nat pool PASSIVEFTP 192.168.10.33  192.168.10.33  netmask 255.255.255.0 type rotary
ip nat inside destination list PASSIVEACL pool PASSIVEFTP

Cheers,
K.
0
 

Author Comment

by:ozlocal
ID: 24846365
Hi KeremE,
I have inputted those commands (I used permit tcp any any range 20 21) as it would not let me have range without 2nd port. Copied running-config to startup and reload > try to connect with client and still get the same error message: 425 Can't open data connection
Regards,
sheproc
0
 
LVL 30

Expert Comment

by:Kerem ERSOY
ID: 24846520
21 is only for Active FTP but it requires the connecitons to other end. you could have used "20 20" instead.

Oopps sorry will you change all my port 20 specifications for all ports with your port of 5656 ?
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 

Author Comment

by:ozlocal
ID: 24847030
Hi KeremE,
i have done the changes as suggested above but am still getting same error:

Status:      Connecting to 125.255.97.6:5656...
Status:      Connection established, waiting for welcome message...
Response:      220-FileZilla Server version 0.9.32 beta
Response:      220-written by Tim Kosse (Tim.Kosse@gmx.de)
Response:      220 Please visit http://sourceforge.net/projects/filezilla/
Command:      USER *******
Response:      331 Password required for *******
Command:      PASS *********
Response:      230 Logged on
Status:      Connected
Status:      Retrieving directory listing...
Command:      PWD
Response:      257 "/" is current directory.
Command:      TYPE I
Response:      200 Type set to I
Command:      PASV
Response:      227 Entering Passive Mode (125,255,97,6,195,122)
Command:      MLSD
Response:      425 Can't open data connection.
Error:      Failed to retrieve directory listing
Status:      Disconnected from server
Status:      Connecting to 125.255.97.6:5656...
Status:      Connection established, waiting for welcome message...
Response:      220-FileZilla Server version 0.9.32 beta
Response:      220-written by Tim Kosse (Tim.Kosse@gmx.de)
Response:      220 Please visit http://sourceforge.net/projects/filezilla/
Command:      USER *******
Response:      331 Password required for *******
Command:      PASS *********
Response:      230 Logged on
Status:      Connected
Status:      Retrieving directory listing...
Command:      PWD
Response:      257 "/" is current directory.
Command:      TYPE I
Response:      200 Type set to I
Command:      PASV
Response:      227 Entering Passive Mode (125,255,97,6,195,123)
Command:      MLSD
Response:      425 Can't open data connection.
Error:      Failed to retrieve directory listing

i have attached file of running-config.txt of router in case there are some other commands i need to remove or add to/from the router

Regards,
sheproc
running-config.txt
0
 
LVL 5

Expert Comment

by:Darkstriker69
ID: 24854463
You might try configuring an inspection rule for FTP traffic. Although you would have to change you configuration to listen for FTP on the standard RFC ports instead of 5656 (TCP 20 & 21)

I am quoting some text from:

http://www.cisco.com/en/US/docs/routers/access/800/850/software/configuration/guide/firewall.html#wp999748

Configure Inspection Rules:

Perform these steps to configure firewall inspection rules for all TCP and UDP traffic, as well as specific application protocols as defined by the security policy, beginning in global configuration mode:


 ip inspect name inspection-name protocol

Example:

Router(config)# ip inspect name firewall ftp

 

0
 

Accepted Solution

by:
ozlocal earned 0 total points
ID: 24901520
After trying the above posts, i seemed to run into more hassles (namely regular FTP to a second server had stopped, and had been working prior to trying solutions). As a result, i have resorted back to original configuration and am using Robocopy to transfer FTP data between 2 servers. Thank you all who helped with this problem.
Regards,
sheproc
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
With the withdrawal of support for Windows Server 2003 this summer, many clients face the issue of moving away from their 2003 installs. There are a few options out there that many people/companies are selling. But the clients I have, haven't wanted…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now