Solved

Open Port 21 on Cisco

Posted on 2010-08-24
7
499 Views
Last Modified: 2013-11-29
Hello all,
I have the following Cisco configuration and am trying to open port 21.  When I put the access list line:
access-list 102 permit tcp any any eq 21
and then the line under the Int VLAN10:
ip access-group 102 in

then the VPN that I have established breaks.
I do not know how to open up port 21 AND keep the VPN up and going.
Also I took out all of the user id and password items along with the line console and vty stuff:

no ip domain lookup
ip name-server 72.250.183.10
ip name-server 72.250.183.20
!
!

crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
crypto isakmp key gent address 172.26.11.1
!
!
crypto ipsec transform-set gentvpn esp-3des esp-md5-hmac
!
crypto map gentmap local-address FastEthernet4
crypto map gentmap 10 ipsec-isakmp
 set peer 172.26.11.1
 set transform-set gentvpn
 match address 101
!
archive
 log config
  hidekeys
!
!
!
!
!
interface FastEthernet0
 switchport access vlan 10
 no cdp enable
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
 ip address 72.250.187.18 255.255.255.0
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 no cdp enable
 crypto map gentmap
!
interface Vlan1
 no ip address
!
interface Vlan10
 ip address 192.168.200.99 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 72.250.187.1
!
ip http server
ip http access-class 23
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map NAT interface FastEthernet4 overload
!
access-list 101 permit ip 192.168.200.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 109 deny   ip 192.168.200.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 109 permit ip 192.168.200.0 0.0.0.255 any
snmp-server community NMPGGENT RO
no cdp run
!
!
route-map NAT permit 10
 match ip address 109
!
!
control-plane
!

 

0
Comment
Question by:Kelly_W
  • 3
  • 3
7 Comments
 
LVL 22

Expert Comment

by:Matt V
ID: 33515380
You would need to add the access list to the outside interface, and you will want to add permits for all your inbound traffic, since there is an implicit deny any any at the end of every access list.
So you will need to have permits for ipsec, ftp and any other traffic that currently works inbound.
If you want the ftp to go to an internal host you will need an ip nat statement that maps the port on the outside interface to the ip/port of the internal ftp server.
0
 
LVL 4

Author Comment

by:Kelly_W
ID: 33515859
Hello,
So in other words, I will want to remove the access-list 102 and leave my 101-109 there for the VPN.
Put in an access-list 111 for the ftp as:
access-list 111 permit tcp any any ftp
access-list 119 deny ip any any

is this right?
Kelly
0
 
LVL 1

Expert Comment

by:namoom
ID: 33516595
Where is the FTP server and who needs to get to it?

I.E.  Internal FTP:  ftp server on 192.168.200.x needs to be accessed by 192.168.10.X
I.E. External FTP: internal hosts need to access external FTP server
I.E. Internal FTP: ftp server on 192.168.x.x needs to be accessed from internet or public IP
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 22

Expert Comment

by:Matt V
ID: 33516620
You need one access list:

(config)# ip access-list extended 111
(config-ext-nacl)#permit tcp any eq 21 host <your internal ftp server ip> eq 21

Add any other incoming ports you want to this list as well such as IPSec for VPN.

And you will also need a static nat mapping for the connection to get to your internal server:

(config)#ip nat inside source static tcp <your internal ftp server ip> 21 interface FastEthernet4 21
0
 
LVL 4

Author Comment

by:Kelly_W
ID: 33516930
Hello,
It is a PC on the internal LAN trying to get to an external ftp server.
Thanks,
Kelly
0
 
LVL 22

Accepted Solution

by:
Matt V earned 500 total points
ID: 33517296
Then you should not need any access lists.  If you have none applied, all traffic is allowed.


0
 
LVL 4

Author Closing Comment

by:Kelly_W
ID: 33522758
This actually ended up being a PC issue.  Was looking at the wrong items and the Cisco was fine.
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

We've been using the Cisco/Linksys RV042 for years as: - an internet Gateway - a site-to-site VPN device - a leased line site-to-site subnet-to-subnet interface (And, here I'm assuming that any RV0xx behaves the same way as an RV042.  So that's …
Please see preceding article here: http://www.experts-exchange.com/Networking/Operating_Systems/A_11209-Root-Bridge-Election.html Figure 1 After Root Bridge has been elected, then what?..... Let's start by defining a Root Port in la…
Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now