Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2210
  • Last Modified:

Filezilla FTP between 2 sites behind Cisco 878 firewall

Hi,
I am having a problem with a FTP connection between 2 sites. Am using Filezilla client to connect to Filezilla server at main site. Both sites are behind a Cisco 878 firewall router. The client can connect on port 5656, accepts username/password, but fails to get a data connections. See log below on client Filezilla.
Status:      Connecting to 125.255.97.6:5656...
Status:      Connection established, waiting for welcome message...
Response:      220-FileZilla Server version 0.9.32 beta
Response:      220-written by Tim Kosse (Tim.Kosse@gmx.de)
Response:      220 Please visit http://sourceforge.net/projects/filezilla/
Command:      USER *******
Response:      331 Password required for *******
Command:      PASS *********
Response:      230 Logged on
Status:      Connected
Status:      Retrieving directory listing...
Command:      PWD
Response:      257 "/" is current directory.
Command:      TYPE I
Response:      200 Type set to I
Command:      PASV
Response:      227 Entering Passive Mode (125,255,97,6,195,112)
Command:      MLSD
Response:      425 Can't open data connection.
Error:      Failed to retrieve directory listing
Response:      421 Connection timed out.
Error:      Connection closed by server
The Filezilla server is listening on port 5656, and i have got port forwarding on main sites router for port 5656 to go to internal Filezilla server pc. Within Filezilla server passive mode settings, have put in external server IP address, and am using a custom port range from 50000-51000.
I have tried to put in these port ranges into main site Cisco router firewall through SDM, but am still getting same error. Have also tried adding in the command:
access-list 101 permit tcp any host 192.168.10.33 range 50000 51000 (which is the Filezilla server IP) without any luck.
Also, is there any configuring i need to do on the client side Cisco firewall? Both sites have a VPN between them. Any help would be greatly appreciated.
Regards,
sheproc
Running config from main site router:
Building configuration...
 
Current configuration : 16217 bytes
!
version 12.4
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname JDA-Router
!
boot-start-marker
boot-end-marker
!
logging buffered 52000 debugging
enable secret 5 $1$t5vI$wpuC4CmPH8pDO9fhYsp1x.
!
aaa new-model
!
!
aaa authentication login default enable
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authentication login LOCALUSERS local
aaa authorization network sdm_vpn_group_ml_1 local 
!
aaa session-id common
!
resource policy
!
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.99
ip dhcp excluded-address 192.168.1.150 192.168.1.254
ip dhcp excluded-address 192.168.10.1 192.168.10.99
ip dhcp excluded-address 192.168.10.150 192.168.10.254
!
ip dhcp pool CLIENT
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.1 
   dns-server 210.23.129.34 61.8.0.113 
   netbios-node-type h-node
!
ip dhcp pool Pool
   import all
   network 192.168.10.0 255.255.255.0
   dns-server 61.8.0.113 210.23.129.34 
   default-router 192.168.10.25 
!
!
ip domain name jda.com.au
ip name-server 61.8.0.113
ip name-server 210.23.129.34
ip ssh authentication-retries 5
ip ssh version 2
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW h323callsigalt
ip inspect name SDM_LOW h323gatestat
ip inspect name SDM_LOW skinny
ip inspect name SDM_LOW sip
ip inspect name SDM_LOW sip-tls
ip inspect name SDM_LOW isakmp
ip inspect name SDM_LOW ipsec-msft
ip inspect name VPN microsoft-ds
ip inspect name VPN ms-cluster-net
ip inspect name VPN ms-dotnetster
ip inspect name VPN ms-sna
ip inspect name VPN ms-sql
ip inspect name VPN ms-sql-m
ip inspect name VPN msexch-routing
ip inspect name VPN netbios-dgm
ip inspect name VPN netbios-ssn
ip inspect name VPN r-winsock
ip inspect name VPN clp
ip inspect name VPN cisco-net-mgmt
ip inspect name VPN cisco-sys
ip inspect name VPN cisco-tna
ip inspect name VPN cisco-fna
ip inspect name VPN cisco-tdp
ip inspect name VPN cisco-svcs
ip inspect name VPN stun
ip inspect name VPN tr-rsrb
ip inspect name VPN exec
ip inspect name VPN telnet
ip inspect name VPN telnets
ip inspect name VPN rtelnet
ip inspect name VPN login
ip inspect name VPN rcmd
ip inspect name VPN ssh
ip inspect name VPN shell
ip inspect name VPN sshell
ip inspect name VPN pcanywheredata
ip inspect name VPN pcanywherestat
ip inspect name VPN x11
ip inspect name VPN xdmcp
!
!
crypto pki trustpoint TP-self-signed-807282283
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-807282283
 revocation-check none
 rsakeypair TP-self-signed-807282283
!
!
crypto pki certificate chain TP-self-signed-807282283
 certificate self-signed 01
  3082024B 308201B4 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 
  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274 
  69666963 6174652D 38303732 38323238 33301E17 0D303230 33313530 39333633 
  375A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F 
  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3830 37323832 
  32383330 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100 
  9819313F E60F14E5 30E08834 807912E5 82D459A8 089106D9 08AB61A1 FA2BBD7C 
  61782251 FA3A9236 9424C0A2 1231B4AC 4E6B01D3 0E150CE7 B460EE5A 94B6C22E 
  10CF050E 76E8AD99 49F3AB0F EDF3C896 25F9FEA6 FB12000F D39061E0 ACD0FB01 
  EB1FCDA1 B2609269 7C902EAB A5C61D69 A8206D0A AD3E6E40 DAB44E64 CEBF17A5 
  02030100 01A37530 73300F06 03551D13 0101FF04 05300301 01FF3020 0603551D 
  11041930 1782154A 44412D52 6F757465 722E6A64 612E636F 6D2E6175 301F0603 
  551D2304 18301680 142DB095 79871311 36F26FFB 82D506DF 504BF605 93301D06 
  03551D0E 04160414 2DB09579 87131136 F26FFB82 D506DF50 4BF60593 300D0609 
  2A864886 F70D0101 04050003 81810088 A897CF69 8F4A4623 CC334F31 C4D7BD80 
  306DC79D 49EAD421 E0D58EB5 D10C164C 3F8D7016 BA54AB9E 70EEE7BC 27426716 
  54EEE929 ABA25658 2553D566 B76EB9F7 8CB0847C B1C96331 36FF69DF A670E01C 
  5458CDC5 FDCCCF56 822A8E07 A139985E 9B09DEF2 F46261EE D3753A18 95746CDE 
  FBC4E1AE 91DF5402 892EADE1 0D7C63
  quit
username ************** privilege 15 password 7 0314580E070E315E48
username ************* privilege 15 password 7 060D073514
!
!
controller DSL 0
 mode atm
 line-term cpe
 line-mode 2-wire line-zero
 dsl-mode shdsl symmetric annex B
 line-rate auto
! 
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key 79f5f9f598 address 125.255.97.70
crypto isakmp key 79f5f9f598 address 125.255.97.58
crypto isakmp key 79F5F9F598 address 125.255.97.46
crypto isakmp key 79f5f9f598 address 125.255.97.66
crypto isakmp key 79F5F9F598 address 125.255.98.86
crypto isakmp keepalive 10 periodic
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA3 esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA4 esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA5 esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA6 esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA7 esp-3des esp-sha-hmac 
crypto ipsec df-bit clear
!
crypto map SDM_CMAP_1 1 ipsec-isakmp 
 description Liverpool VPN tunnel
 set peer 125.255.97.70
 set transform-set ESP-3DES-SHA 
 match address 102
crypto map SDM_CMAP_1 2 ipsec-isakmp 
 set peer 125.255.97.58
 set transform-set ESP-3DES-SHA2 
 match address 104
crypto map SDM_CMAP_1 5 ipsec-isakmp 
 set peer 125.255.97.46
 set transform-set ESP-3DES-SHA 
 match address 109
crypto map SDM_CMAP_1 6 ipsec-isakmp 
 set peer 125.255.98.86
 set transform-set ESP-3DES-SHA7 
 match address 111
!
bridge irb
!
!
!
interface BRI0
 no ip address
 encapsulation hdlc
 shutdown
!
interface ATM0
 description Nextep SHDSL
 no ip address
 atm ilmi-keepalive
 pvc 0/33 
  encapsulation aal5snap
 !
 pvc 1/32 
  encapsulation aal5snap
 !
 bridge-group 1
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
 description $FW_INSIDE$
 ip address 192.168.10.25 255.255.255.0
 ip access-group 100 in
 ip nat inside
 ip virtual-reassembly
!
interface BVI1
 description $FW_OUTSIDE$
 ip address 125.255.97.6 255.255.255.252
 ip access-group 101 in
 ip verify unicast reverse-path
 ip nat outside
 ip inspect SDM_LOW out
 ip virtual-reassembly
 crypto map SDM_CMAP_1
!
ip local pool SDM_POOL_1 192.168.10.150 192.168.10.199
ip route 0.0.0.0 0.0.0.0 BVI1
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat inside source static tcp 192.168.10.33 4000 interface BVI1 4000
ip nat inside source static tcp 192.168.10.202 3456 interface BVI1 3456
ip nat inside source static tcp 192.168.10.60 3434 interface BVI1 3434
ip nat inside source static tcp 192.168.10.30 4444 interface BVI1 4444
ip nat inside source route-map SDM_RMAP_1 interface BVI1 overload
ip nat inside source static tcp 192.168.10.119 3389 interface BVI1 3389
ip nat inside source static tcp 192.168.10.119 6502 interface BVI1 6502
ip nat inside source static tcp 192.168.10.144 3399 interface BVI1 3399
ip nat inside source static tcp 192.168.10.33 5656 interface BVI1 5656
ip nat inside source static tcp 192.168.10.33 50000 interface BVI1 50000
ip nat inside source static tcp 192.168.10.14 20 125.255.97.6 20 extendable
ip nat inside source static tcp 192.168.10.14 21 125.255.97.6 21 extendable
ip nat inside source static udp 192.168.10.14 69 125.255.97.6 69 extendable
ip nat inside source static tcp 192.168.10.14 3333 125.255.97.6 3333 extendable
ip nat inside source static tcp 192.168.10.251 3390 125.255.97.6 3390 extendable
ip nat inside source static tcp 192.168.10.252 3391 125.255.97.6 3391 extendable
ip nat inside source static tcp 192.168.10.253 3392 125.255.97.6 3392 extendable
!
access-list 1 remark SDM_ACL Category=16
access-list 1 permit 192.168.0.0 0.0.255.255
access-list 10 permit 61.8.0.68
access-list 10 permit 61.8.0.70
access-list 10 permit 61.8.0.67
access-list 10 permit 125.255.97.5
access-list 10 permit 192.168.0.0 0.0.255.255
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 permit ip 125.255.97.4 0.0.0.3 any
access-list 100 permit tcp any any eq ftp
access-list 100 remark Inbound, Vlan, to deny spoofing
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 remark Inbound, Vlan, deny broadcast local loopback
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 remark Inbound, Vlan, permit all other traffic
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 remark IPSec Rule
access-list 101 permit ip 192.168.8.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 101 permit udp host 125.255.98.86 host 125.255.97.6 eq non500-isakmp
access-list 101 permit udp host 125.255.98.86 host 125.255.97.6 eq isakmp
access-list 101 permit esp host 125.255.98.86 host 125.255.97.6
access-list 101 permit ahp host 125.255.98.86 host 125.255.97.6
access-list 101 remark IPSec Rule CharlieChans
access-list 101 permit ip 192.168.4.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 101 remark CharlieChans VPN
access-list 101 permit udp host 125.255.97.46 host 125.255.97.6 eq non500-isakmp
access-list 101 remark CharlieChans VPN
access-list 101 permit udp host 125.255.97.46 host 125.255.97.6 eq isakmp
access-list 101 remark CharlieChans VPN
access-list 101 permit esp host 125.255.97.46 host 125.255.97.6
access-list 101 remark CharlieChans VPN
access-list 101 permit ahp host 125.255.97.46 host 125.255.97.6
access-list 101 remark IPSec Rule Allawah
access-list 101 permit ip 192.168.0.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 101 remark Allawah VPN
access-list 101 permit udp host 125.255.97.58 host 125.255.97.6 eq non500-isakmp
access-list 101 remark Allawah VPN
access-list 101 permit udp host 125.255.97.58 host 125.255.97.6 eq isakmp
access-list 101 remark Allawah VPN
access-list 101 permit esp host 125.255.97.58 host 125.255.97.6
access-list 101 remark Allawah VPN
access-list 101 permit ahp host 125.255.97.58 host 125.255.97.6
access-list 101 remark IPSec Rule Legends
access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 101 remark Legends VPN
access-list 101 permit udp host 125.255.97.70 host 125.255.97.6 eq non500-isakmp
access-list 101 remark Legends VPN
access-list 101 permit udp host 125.255.97.70 host 125.255.97.6 eq isakmp
access-list 101 remark Legends VPN
access-list 101 permit esp host 125.255.97.70 host 125.255.97.6
access-list 101 remark Legends VPN
access-list 101 permit ahp host 125.255.97.70 host 125.255.97.6
access-list 101 remark ServerRDP
access-list 101 permit tcp any host 125.255.97.6 eq 3333
access-list 101 remark JohnRDP
access-list 101 permit tcp any host 125.255.97.6 eq 3390
access-list 101 remark DeanRDP
access-list 101 permit tcp any host 125.255.97.6 eq 3391
access-list 101 remark Abbey RDP
access-list 101 permit tcp any host 125.255.97.6 eq 3392
access-list 101 remark BePOZ server
access-list 101 permit tcp any host 125.255.97.6 eq 3389
access-list 101 remark BePOZ
access-list 101 permit tcp any host 125.255.97.6 eq 6502
access-list 101 remark Terminal server RDP
access-list 101 permit tcp any host 125.255.97.6 eq 4444
access-list 101 remark StaceRDP
access-list 101 permit tcp any host 125.255.97.6 eq 3434
access-list 101 remark DebraRDP
access-list 101 permit tcp any host 125.255.97.6 eq 3456
access-list 101 remark SBS2008RDP
access-list 101 permit tcp any host 125.255.97.6 eq 4000
access-list 101 remark SandraRDP
access-list 101 permit tcp any host 125.255.97.6 eq 3399
access-list 101 remark FileZillaFTP
access-list 101 permit tcp any host 125.255.97.6 eq 5656
access-list 101 remark PING
access-list 101 permit tcp any eq echo any eq echo
access-list 101 remark PING
access-list 101 permit icmp any any
access-list 101 remark FTP
access-list 101 permit tcp any any eq ftp
access-list 101 remark DNS resolution
access-list 101 permit udp any eq domain any eq domain
access-list 101 remark DNS
access-list 101 permit ip host 210.23.129.34 host 125.255.97.6
access-list 101 remark DNS
access-list 101 permit ip host 61.8.0.113 host 125.255.97.6
access-list 101 remark Prevent broadcasts
access-list 101 deny   ip 192.168.10.0 0.0.0.255 any
access-list 101 remark PING
access-list 101 permit icmp any host 125.255.97.6 echo-reply
access-list 101 remark PING
access-list 101 permit icmp any host 125.255.97.6 time-exceeded
access-list 101 remark TFTP
access-list 101 permit udp any eq tftp any eq tftp
access-list 101 permit tcp any host 125.255.97.6 eq 443
access-list 101 permit tcp any host 125.255.97.6 eq 22
access-list 101 permit tcp any host 125.255.97.6 eq cmd
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip host 0.0.0.0 any
access-list 101 deny   ip any any log
access-list 101 permit tcp any host 192.168.10.33 range 50000 51000
access-list 102 remark SDM_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 192.168.10.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 103 remark SDM_ACL Category=2
access-list 103 remark IPSec Rule
access-list 103 deny   ip 192.168.10.0 0.0.0.255 192.168.8.0 0.0.0.255
access-list 103 remark IPSec Rule
access-list 103 deny   ip 192.168.10.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 103 remark IPSec Rule
access-list 103 deny   ip 192.168.10.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 103 remark IPSec Rule
access-list 103 deny   ip 192.168.10.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 103 permit ip 192.168.0.0 0.0.255.255 any
access-list 104 remark SDM_ACL Category=4
access-list 104 remark IPSec Rule
access-list 104 permit ip 192.168.10.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 105 remark SDM_ACL Category=4
access-list 105 remark IPSec Rule
access-list 105 permit ip 192.168.10.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 106 remark SDM_ACL Category=4
access-list 106 remark IPSec Rule
access-list 106 permit ip 192.168.10.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 107 remark SDM_ACL Category=4
access-list 107 remark IPSec Rule
access-list 107 permit ip 192.168.10.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 108 remark SDM_ACL Category=4
access-list 108 remark IPSec Rule
access-list 108 permit ip 192.168.10.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 109 remark SDM_ACL Category=4
access-list 109 remark IPSec Rule
access-list 109 permit ip 192.168.10.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 110 remark SDM_ACL Category=4
access-list 110 remark IPSec Rule
access-list 110 permit ip 192.168.10.0 0.0.0.255 192.168.8.0 0.0.0.255
access-list 111 remark SDM_ACL Category=4
access-list 111 remark IPSec Rule
access-list 111 permit ip 192.168.10.0 0.0.0.255 192.168.8.0 0.0.0.255
!
!
!
route-map SDM_RMAP_1 permit 1
 match ip address 103
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
!
line con 0
 exec-timeout 120 0
 login authentication LOCALUSERS
 no modem enable
 no exec
 transport output ssh
 stopbits 1
line aux 0
 transport output all
line vty 0 4
 access-class 10 in
 exec-timeout 0 0
 privilege level 15
 length 0
 transport input telnet
 transport output all
!
scheduler max-task-time 5000
end

Open in new window

0
ozlocal
Asked:
ozlocal
  • 3
  • 2
1 Solution
 
Kerem ERSOYPresidentCommented:
Hi,

First of all you need to allow ftp data from ant port greater than 1023 to ftp. Then you need NAT to use port50000 nad 51000. In your defintiion it will just allow them wihout NAT. Don2t forget that they are not accessing your internal host they are accessing to your reverse nattted server through your external interface. This is why tour command does not work.
To get it worked you need 3 things:

access-list 100 permit tcp any gt 1023 host x.x.x.x eq ftp    ( x.x.x.x is your public IP)
access-list 100 permit tcp any gt 1023 host x.x.x.x range 50000 51000

Then you need some definitions for your NAT:

ip access-list extended PASSIVEACL
remark Standard FTP Data and Comms
permit tcp any any range 20
remark Passive Ports
permit tcp any any range 50000 51000

And allow this rule by Reverse NAT

ip nat pool PASSIVEFTP 192.168.10.33  192.168.10.33  netmask 255.255.255.0 type rotary
ip nat inside destination list PASSIVEACL pool PASSIVEFTP

Cheers,
K.
0
 
ozlocalAuthor Commented:
Hi KeremE,
I have inputted those commands (I used permit tcp any any range 20 21) as it would not let me have range without 2nd port. Copied running-config to startup and reload > try to connect with client and still get the same error message: 425 Can't open data connection
Regards,
sheproc
0
 
Kerem ERSOYPresidentCommented:
21 is only for Active FTP but it requires the connecitons to other end. you could have used "20 20" instead.

Oopps sorry will you change all my port 20 specifications for all ports with your port of 5656 ?
0
Lessons on Wi-Fi & Recommendations on KRACK

Simplicity and security can be a difficult  balance for any business to tackle. Join us on December 6th for a look at your company's biggest security gap. We will also address the most recent attack, "KRACK" and provide recommendations on how to secure your Wi-Fi network today!

 
ozlocalAuthor Commented:
Hi KeremE,
i have done the changes as suggested above but am still getting same error:

Status:      Connecting to 125.255.97.6:5656...
Status:      Connection established, waiting for welcome message...
Response:      220-FileZilla Server version 0.9.32 beta
Response:      220-written by Tim Kosse (Tim.Kosse@gmx.de)
Response:      220 Please visit http://sourceforge.net/projects/filezilla/
Command:      USER *******
Response:      331 Password required for *******
Command:      PASS *********
Response:      230 Logged on
Status:      Connected
Status:      Retrieving directory listing...
Command:      PWD
Response:      257 "/" is current directory.
Command:      TYPE I
Response:      200 Type set to I
Command:      PASV
Response:      227 Entering Passive Mode (125,255,97,6,195,122)
Command:      MLSD
Response:      425 Can't open data connection.
Error:      Failed to retrieve directory listing
Status:      Disconnected from server
Status:      Connecting to 125.255.97.6:5656...
Status:      Connection established, waiting for welcome message...
Response:      220-FileZilla Server version 0.9.32 beta
Response:      220-written by Tim Kosse (Tim.Kosse@gmx.de)
Response:      220 Please visit http://sourceforge.net/projects/filezilla/
Command:      USER *******
Response:      331 Password required for *******
Command:      PASS *********
Response:      230 Logged on
Status:      Connected
Status:      Retrieving directory listing...
Command:      PWD
Response:      257 "/" is current directory.
Command:      TYPE I
Response:      200 Type set to I
Command:      PASV
Response:      227 Entering Passive Mode (125,255,97,6,195,123)
Command:      MLSD
Response:      425 Can't open data connection.
Error:      Failed to retrieve directory listing

i have attached file of running-config.txt of router in case there are some other commands i need to remove or add to/from the router

Regards,
sheproc
running-config.txt
0
 
Darkstriker69Commented:
You might try configuring an inspection rule for FTP traffic. Although you would have to change you configuration to listen for FTP on the standard RFC ports instead of 5656 (TCP 20 & 21)

I am quoting some text from:

http://www.cisco.com/en/US/docs/routers/access/800/850/software/configuration/guide/firewall.html#wp999748

Configure Inspection Rules:

Perform these steps to configure firewall inspection rules for all TCP and UDP traffic, as well as specific application protocols as defined by the security policy, beginning in global configuration mode:


 ip inspect name inspection-name protocol

Example:

Router(config)# ip inspect name firewall ftp

 

0
 
ozlocalAuthor Commented:
After trying the above posts, i seemed to run into more hassles (namely regular FTP to a second server had stopped, and had been working prior to trying solutions). As a result, i have resorted back to original configuration and am using Robocopy to transfer FTP data between 2 servers. Thank you all who helped with this problem.
Regards,
sheproc
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now