Solved

Open Port 21 on Cisco

Posted on 2010-08-24
7
515 Views
Last Modified: 2013-11-29
Hello all,
I have the following Cisco configuration and am trying to open port 21.  When I put the access list line:
access-list 102 permit tcp any any eq 21
and then the line under the Int VLAN10:
ip access-group 102 in

then the VPN that I have established breaks.
I do not know how to open up port 21 AND keep the VPN up and going.
Also I took out all of the user id and password items along with the line console and vty stuff:

no ip domain lookup
ip name-server 72.250.183.10
ip name-server 72.250.183.20
!
!

crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
crypto isakmp key gent address 172.26.11.1
!
!
crypto ipsec transform-set gentvpn esp-3des esp-md5-hmac
!
crypto map gentmap local-address FastEthernet4
crypto map gentmap 10 ipsec-isakmp
 set peer 172.26.11.1
 set transform-set gentvpn
 match address 101
!
archive
 log config
  hidekeys
!
!
!
!
!
interface FastEthernet0
 switchport access vlan 10
 no cdp enable
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
 ip address 72.250.187.18 255.255.255.0
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 no cdp enable
 crypto map gentmap
!
interface Vlan1
 no ip address
!
interface Vlan10
 ip address 192.168.200.99 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 72.250.187.1
!
ip http server
ip http access-class 23
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map NAT interface FastEthernet4 overload
!
access-list 101 permit ip 192.168.200.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 109 deny   ip 192.168.200.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 109 permit ip 192.168.200.0 0.0.0.255 any
snmp-server community NMPGGENT RO
no cdp run
!
!
route-map NAT permit 10
 match ip address 109
!
!
control-plane
!

 

0
Comment
Question by:Kelly_W
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
7 Comments
 
LVL 22

Expert Comment

by:Matt V
ID: 33515380
You would need to add the access list to the outside interface, and you will want to add permits for all your inbound traffic, since there is an implicit deny any any at the end of every access list.
So you will need to have permits for ipsec, ftp and any other traffic that currently works inbound.
If you want the ftp to go to an internal host you will need an ip nat statement that maps the port on the outside interface to the ip/port of the internal ftp server.
0
 
LVL 4

Author Comment

by:Kelly_W
ID: 33515859
Hello,
So in other words, I will want to remove the access-list 102 and leave my 101-109 there for the VPN.
Put in an access-list 111 for the ftp as:
access-list 111 permit tcp any any ftp
access-list 119 deny ip any any

is this right?
Kelly
0
 
LVL 1

Expert Comment

by:namoom
ID: 33516595
Where is the FTP server and who needs to get to it?

I.E.  Internal FTP:  ftp server on 192.168.200.x needs to be accessed by 192.168.10.X
I.E. External FTP: internal hosts need to access external FTP server
I.E. Internal FTP: ftp server on 192.168.x.x needs to be accessed from internet or public IP
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 22

Expert Comment

by:Matt V
ID: 33516620
You need one access list:

(config)# ip access-list extended 111
(config-ext-nacl)#permit tcp any eq 21 host <your internal ftp server ip> eq 21

Add any other incoming ports you want to this list as well such as IPSec for VPN.

And you will also need a static nat mapping for the connection to get to your internal server:

(config)#ip nat inside source static tcp <your internal ftp server ip> 21 interface FastEthernet4 21
0
 
LVL 4

Author Comment

by:Kelly_W
ID: 33516930
Hello,
It is a PC on the internal LAN trying to get to an external ftp server.
Thanks,
Kelly
0
 
LVL 22

Accepted Solution

by:
Matt V earned 500 total points
ID: 33517296
Then you should not need any access lists.  If you have none applied, all traffic is allowed.


0
 
LVL 4

Author Closing Comment

by:Kelly_W
ID: 33522758
This actually ended up being a PC issue.  Was looking at the wrong items and the Cisco was fine.
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Network Vs Redistribute Connected Commands 3 86
TL-R470T+ and Cisco ASA 2 47
Cisco Edge Routers for BGP 6 116
Ping in Fortigate 2 60
We've been using the Cisco/Linksys RV042 for years as: - an internet Gateway - a site-to-site VPN device - a leased line site-to-site subnet-to-subnet interface (And, here I'm assuming that any RV0xx behaves the same way as an RV042.  So that's …
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question