Kelly_W
asked on
Open Port 21 on Cisco
Hello all,
I have the following Cisco configuration and am trying to open port 21. When I put the access list line:
access-list 102 permit tcp any any eq 21
and then the line under the Int VLAN10:
ip access-group 102 in
then the VPN that I have established breaks.
I do not know how to open up port 21 AND keep the VPN up and going.
Also I took out all of the user id and password items along with the line console and vty stuff:
no ip domain lookup
ip name-server 72.250.183.10
ip name-server 72.250.183.20
!
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
crypto isakmp key gent address 172.26.11.1
!
!
crypto ipsec transform-set gentvpn esp-3des esp-md5-hmac
!
crypto map gentmap local-address FastEthernet4
crypto map gentmap 10 ipsec-isakmp
set peer 172.26.11.1
set transform-set gentvpn
match address 101
!
archive
log config
hidekeys
!
!
!
!
!
interface FastEthernet0
switchport access vlan 10
no cdp enable
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
ip address 72.250.187.18 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
crypto map gentmap
!
interface Vlan1
no ip address
!
interface Vlan10
ip address 192.168.200.99 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 72.250.187.1
!
ip http server
ip http access-class 23
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map NAT interface FastEthernet4 overload
!
access-list 101 permit ip 192.168.200.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 109 deny ip 192.168.200.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 109 permit ip 192.168.200.0 0.0.0.255 any
snmp-server community NMPGGENT RO
no cdp run
!
!
route-map NAT permit 10
match ip address 109
!
!
control-plane
!
I have the following Cisco configuration and am trying to open port 21. When I put the access list line:
access-list 102 permit tcp any any eq 21
and then the line under the Int VLAN10:
ip access-group 102 in
then the VPN that I have established breaks.
I do not know how to open up port 21 AND keep the VPN up and going.
Also I took out all of the user id and password items along with the line console and vty stuff:
no ip domain lookup
ip name-server 72.250.183.10
ip name-server 72.250.183.20
!
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
crypto isakmp key gent address 172.26.11.1
!
!
crypto ipsec transform-set gentvpn esp-3des esp-md5-hmac
!
crypto map gentmap local-address FastEthernet4
crypto map gentmap 10 ipsec-isakmp
set peer 172.26.11.1
set transform-set gentvpn
match address 101
!
archive
log config
hidekeys
!
!
!
!
!
interface FastEthernet0
switchport access vlan 10
no cdp enable
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
ip address 72.250.187.18 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
crypto map gentmap
!
interface Vlan1
no ip address
!
interface Vlan10
ip address 192.168.200.99 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 72.250.187.1
!
ip http server
ip http access-class 23
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map NAT interface FastEthernet4 overload
!
access-list 101 permit ip 192.168.200.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 109 deny ip 192.168.200.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 109 permit ip 192.168.200.0 0.0.0.255 any
snmp-server community NMPGGENT RO
no cdp run
!
!
route-map NAT permit 10
match ip address 109
!
!
control-plane
!
ASKER
Hello,
So in other words, I will want to remove the access-list 102 and leave my 101-109 there for the VPN.
Put in an access-list 111 for the ftp as:
access-list 111 permit tcp any any ftp
access-list 119 deny ip any any
is this right?
Kelly
So in other words, I will want to remove the access-list 102 and leave my 101-109 there for the VPN.
Put in an access-list 111 for the ftp as:
access-list 111 permit tcp any any ftp
access-list 119 deny ip any any
is this right?
Kelly
You need one access list:
(config)# ip access-list extended 111
(config-ext-nacl)#permit tcp any eq 21 host <your internal ftp server ip> eq 21
Add any other incoming ports you want to this list as well such as IPSec for VPN.
And you will also need a static nat mapping for the connection to get to your internal server:
(config)#ip nat inside source static tcp <your internal ftp server ip> 21 interface FastEthernet4 21
(config)# ip access-list extended 111
(config-ext-nacl)#permit tcp any eq 21 host <your internal ftp server ip> eq 21
Add any other incoming ports you want to this list as well such as IPSec for VPN.
And you will also need a static nat mapping for the connection to get to your internal server:
(config)#ip nat inside source static tcp <your internal ftp server ip> 21 interface FastEthernet4 21
ASKER
Hello,
It is a PC on the internal LAN trying to get to an external ftp server.
Thanks,
Kelly
It is a PC on the internal LAN trying to get to an external ftp server.
Thanks,
Kelly
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
This actually ended up being a PC issue. Was looking at the wrong items and the Cisco was fine.
So you will need to have permits for ipsec, ftp and any other traffic that currently works inbound.
If you want the ftp to go to an internal host you will need an ip nat statement that maps the port on the outside interface to the ip/port of the internal ftp server.