Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Open Port 21 on Cisco

Posted on 2010-08-24
7
Medium Priority
?
535 Views
Last Modified: 2013-11-29
Hello all,
I have the following Cisco configuration and am trying to open port 21.  When I put the access list line:
access-list 102 permit tcp any any eq 21
and then the line under the Int VLAN10:
ip access-group 102 in

then the VPN that I have established breaks.
I do not know how to open up port 21 AND keep the VPN up and going.
Also I took out all of the user id and password items along with the line console and vty stuff:

no ip domain lookup
ip name-server 72.250.183.10
ip name-server 72.250.183.20
!
!

crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
crypto isakmp key gent address 172.26.11.1
!
!
crypto ipsec transform-set gentvpn esp-3des esp-md5-hmac
!
crypto map gentmap local-address FastEthernet4
crypto map gentmap 10 ipsec-isakmp
 set peer 172.26.11.1
 set transform-set gentvpn
 match address 101
!
archive
 log config
  hidekeys
!
!
!
!
!
interface FastEthernet0
 switchport access vlan 10
 no cdp enable
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
 ip address 72.250.187.18 255.255.255.0
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 no cdp enable
 crypto map gentmap
!
interface Vlan1
 no ip address
!
interface Vlan10
 ip address 192.168.200.99 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 72.250.187.1
!
ip http server
ip http access-class 23
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map NAT interface FastEthernet4 overload
!
access-list 101 permit ip 192.168.200.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 109 deny   ip 192.168.200.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 109 permit ip 192.168.200.0 0.0.0.255 any
snmp-server community NMPGGENT RO
no cdp run
!
!
route-map NAT permit 10
 match ip address 109
!
!
control-plane
!

 

0
Comment
Question by:Kelly_W
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
7 Comments
 
LVL 22

Expert Comment

by:Matt V
ID: 33515380
You would need to add the access list to the outside interface, and you will want to add permits for all your inbound traffic, since there is an implicit deny any any at the end of every access list.
So you will need to have permits for ipsec, ftp and any other traffic that currently works inbound.
If you want the ftp to go to an internal host you will need an ip nat statement that maps the port on the outside interface to the ip/port of the internal ftp server.
0
 
LVL 4

Author Comment

by:Kelly_W
ID: 33515859
Hello,
So in other words, I will want to remove the access-list 102 and leave my 101-109 there for the VPN.
Put in an access-list 111 for the ftp as:
access-list 111 permit tcp any any ftp
access-list 119 deny ip any any

is this right?
Kelly
0
 
LVL 1

Expert Comment

by:namoom
ID: 33516595
Where is the FTP server and who needs to get to it?

I.E.  Internal FTP:  ftp server on 192.168.200.x needs to be accessed by 192.168.10.X
I.E. External FTP: internal hosts need to access external FTP server
I.E. Internal FTP: ftp server on 192.168.x.x needs to be accessed from internet or public IP
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 22

Expert Comment

by:Matt V
ID: 33516620
You need one access list:

(config)# ip access-list extended 111
(config-ext-nacl)#permit tcp any eq 21 host <your internal ftp server ip> eq 21

Add any other incoming ports you want to this list as well such as IPSec for VPN.

And you will also need a static nat mapping for the connection to get to your internal server:

(config)#ip nat inside source static tcp <your internal ftp server ip> 21 interface FastEthernet4 21
0
 
LVL 4

Author Comment

by:Kelly_W
ID: 33516930
Hello,
It is a PC on the internal LAN trying to get to an external ftp server.
Thanks,
Kelly
0
 
LVL 22

Accepted Solution

by:
Matt V earned 2000 total points
ID: 33517296
Then you should not need any access lists.  If you have none applied, all traffic is allowed.


0
 
LVL 4

Author Closing Comment

by:Kelly_W
ID: 33522758
This actually ended up being a PC issue.  Was looking at the wrong items and the Cisco was fine.
0

Featured Post

On Demand Webinar - Networking for the Cloud Era

This webinar discusses:
-Common barriers companies experience when moving to the cloud
-How SD-WAN changes the way we look at networks
-Best practices customers should employ moving forward with cloud migration
-What happens behind the scenes of SteelConnect’s one-click button

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This is the first one of a series of articles I’ll be writing to address technical issues that are always referred to as network problems. The network boundaries have changed, therefore having an understanding of how each piece in the network  puzzl…
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question