Solved

Cisco 877W and FTP server

Posted on 2011-09-18
9
520 Views
Last Modified: 2012-05-12
I can't access FTP server from outside (its ports are 20, 221, 55536-55544) at NAS Synology CS407e. I used FileZilla and CoreFTP.
ISP gives dynamic IP, and DynDNS client set up at NAS. Local IP address of NAS is 192.168.1.63.
Ports are forwarded and ACLs are set up (I think). Global hostname mznas.dyndns.org I can ping from PC with 192.168.1.2, but not from router. When I put mznas.dyndns.org into browser, it leads me to router Web interface (CP Express).
Config as below:
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Router
!
boot-start-marker
boot system flash c870-advipservicesk9-mz.150-1.M7.bin
boot-end-marker
!
logging buffered 51200 informational
!
no aaa new-model
!
!
!
clock timezone MSK 3
clock summer-time MSK recurring last Sun Mar 2:00 last Sun Oct 3:00
!
crypto pki trustpoint tti
 revocation-check crl
 rsakeypair tti
!
crypto pki trustpoint TP-self-signed-<skip>
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-<skip>
 revocation-check none
 rsakeypair TP-self-signed-<skip>
!
!
crypto pki certificate chain tti
crypto pki certificate chain TP-self-signed-<skip>
 certificate self-signed 01
<skip>
        quit
dot11 syslog
!
dot11 ssid 877W
 authentication open
 authentication key-management wpa
 guest-mode
 wpa-psk ascii 7 <skip>
!
ip source-route
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1
ip dhcp excluded-address 192.168.1.2
ip dhcp excluded-address 192.168.1.3
ip dhcp excluded-address 192.168.1.4
ip dhcp excluded-address 192.168.1.5
ip dhcp excluded-address 192.168.1.6
ip dhcp excluded-address 192.168.1.7
ip dhcp excluded-address 192.168.1.8
ip dhcp excluded-address 192.168.1.9
ip dhcp excluded-address 192.168.1.63
ip dhcp excluded-address 192.168.1.100
!
ip dhcp pool 877W
   network 192.168.1.0 255.255.255.0
   dns-server 156.154.70.22 156.154.71.22
   default-router 192.168.1.1
!
!
ip cef
ip domain name mtu.ru
ip name-server 156.154.70.22
ip name-server 156.154.71.22
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip inspect name DEFAULT100 tcp router-traffic
ip inspect name DEFAULT100 udp router-traffic
ip inspect name DEFAULT100 icmp router-traffic
!
no ip igmp snooping
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
username Mike privilege 15 secret 5 <skip>
!
!
!
!
!
!
bridge irb
!
!
!
interface ATM0
 description WAN
 no ip address
 no atm ilmi-keepalive
 !
!
interface ATM0.1 point-to-point
 description Stream Internet
 pvc 1/50
  pppoe-client dial-pool-number 1
 !
!
interface ATM0.2 point-to-point
 description VoD
 bridge-group 2
 bridge-group 2 spanning-disabled
 pvc 1/91
  encapsulation aal5snap
 !
!
interface ATM0.3 point-to-point
 description TV
 bridge-group 2
 bridge-group 2 spanning-disabled
 pvc 1/92
  encapsulation aal5snap
 !
!
interface FastEthernet0
 description 2Switch
 spanning-tree portfast
 !
!
interface FastEthernet1
 description Amino
 switchport access vlan 2
 no keepalive
 spanning-tree portfast
 !
!
interface FastEthernet2
 description 2MikePC
 switchport access vlan 2
 spanning-tree portfast
 !
!
interface FastEthernet3
 description 2EugenePC
 switchport access vlan 2
 spanning-tree portfast
 !
!
interface Dot11Radio0
 description WiFi Access Point
 no ip address
 !
 encryption mode ciphers tkip
 !
 ssid 877W
 !
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
 station-role root
 world-mode dot11d country RU both
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 !
!
interface Vlan1
 description description Ethernet&WiFi
 no ip address
 bridge-group 1
 !
!
interface Vlan2
 description TV
 no ip address
 bridge-group 2
 bridge-group 2 spanning-disabled
 !
!
interface Dialer0
 ip address negotiated
 ip access-group 101 in
 ip mtu 1492
 ip nbar protocol-discovery
 ip flow ingress
 ip flow egress
 ip nat outside
 ip inspect DEFAULT100 out
 ip virtual-reassembly max-reassemblies 128
 encapsulation ppp
 ip tcp adjust-mss 1452
 dialer pool 1
 dialer-group 1
 ppp authentication chap callin
 ppp chap hostname <skip>@mtu
 ppp chap password 7 <skip>
 no cdp enable
 !
!
interface BVI1
 description LAN
 ip address 192.168.1.1 255.255.255.0
 ip access-group 100 in
 ip nbar protocol-discovery
 ip flow ingress
 ip flow egress
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
 !
!
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip flow-top-talkers
 top 5
 sort-by bytes
 cache-timeout 3600
!
ip dns server
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 192.168.1.2 57649 interface Dialer0 57649
ip nat inside source static udp 192.168.1.2 57649 interface Dialer0 57649
ip nat inside source static tcp 192.168.1.63 20 interface Dialer0 20
ip nat inside source static tcp 192.168.1.63 221 interface Dialer0 221
ip nat inside source static tcp 192.168.1.63 55536 interface Dialer0 55536
ip nat inside source static tcp 192.168.1.63 55537 interface Dialer0 55537
ip nat inside source static tcp 192.168.1.63 55538 interface Dialer0 55538
ip nat inside source static tcp 192.168.1.63 55539 interface Dialer0 55539
ip nat inside source static tcp 192.168.1.63 55540 interface Dialer0 55540
ip nat inside source static tcp 192.168.1.63 55541 interface Dialer0 55541
ip nat inside source static tcp 192.168.1.63 55542 interface Dialer0 55542
ip nat inside source static tcp 192.168.1.63 55543 interface Dialer0 55543
ip nat inside source static tcp 192.168.1.63 55544 interface Dialer0 55544
ip route 0.0.0.0 0.0.0.0 Dialer0
!
kron occurrence TIME in 2:0 recurring
!
kron policy-list TIME
 cli ntp server nist.time.gov source di0
!
logging 192.168.1.2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 23 permit 192.168.1.0 0.0.0.255
access-list 100 remark CCP_ACL Category=17
access-list 100 remark Auto generated by SDM for NTP (123) time.nist.gov
access-list 100 permit udp host 192.43.244.18 eq ntp host 192.168.1.1 eq ntp
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 permit ip any any
access-list 100 permit icmp any any
access-list 101 remark CCP_ACL Category=17
access-list 101 remark Auto generated by SDM for NTP (123) time.nist.gov
access-list 101 permit udp host 192.43.244.18 eq ntp any eq ntp
access-list 101 permit udp host 156.154.70.22 eq domain any
access-list 101 permit udp host 156.154.71.22 eq domain any
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 permit tcp any any eq 57649
access-list 101 permit udp any any eq 57649
access-list 101 permit tcp any any eq 20
access-list 101 permit tcp any any eq 221
access-list 101 permit tcp any any eq 55536
access-list 101 permit tcp any any eq 55537
access-list 101 permit tcp any any eq 55538
access-list 101 permit tcp any any eq 55539
access-list 101 permit tcp any any eq 55540
access-list 101 permit tcp any any eq 55541
access-list 101 permit tcp any any eq 55542
access-list 101 permit tcp any any eq 55543
access-list 101 permit tcp any any eq 55544
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip host 0.0.0.0 any
access-list 101 deny   ip any any
dialer-list 1 protocol ip permit
!
!
!
!
snmp-server community public RW
snmp-server host 192.168.1.2 <skip>
!
control-plane
 !
!
bridge 1 protocol ieee
bridge 1 route ip
banner login Cisco 877W access router ready

!
line con 0
 login local
 no modem enable
line aux 0
line vty 0 4
 access-class 23 in
 login local
 length 0
 transport input telnet ssh
!
scheduler max-task-time 5000
ntp clock-period 17175037
ntp server 192.43.244.18 prefer
end

0
Comment
Question by:MiZN
  • 5
  • 4
9 Comments
 
LVL 12

Expert Comment

by:Steve
Comment Utility
I think you'll find you've made a mistake..

FTP uses TCP ports 20 and 21 not 221.. change it to 21 and try again..

20       TCP             FTP—data transfer
21       TCP             FTP—control (command)
0
 

Author Comment

by:MiZN
Comment Utility
Port 21 blocked by ISP. And using port 221 I can reach FTP from local network (under router)
0
 
LVL 12

Expert Comment

by:Steve
Comment Utility
ok.. so you've changed the ftp port 21 to 221 on the NAS as well ? if not, (and honestly id recommend not), I'd leave the NAS with standard FTP ports 20 and 21 then change your NAT statement to be :

ip nat inside source static tcp 192.168.1.63 21 interface Dialer0 221

then your external ftp client would need 221 instead of 21 and the router would do the translation.

so.. onwards.. first thing to do is to remove the acls and test to see what is blocking the access.

so do one of these at a time and test..

!
interface Dialer0
 no ip access-group 101 in
!
test, if no change put it back on with :
!
interface Dialer0
 ip access-group 101 in
!

then move to the next one :

!
interface Dialer0
no  ip inspect DEFAULT100 out
!
interface BVI1
no ip access-group 100 in
!
with them all off it should work if you're 221 stuff is working.. then you need to work out which one is stopping it..

personally i think it'll be :

ip inspect name DEFAULT100 ftp

as you've changed default ports.. but testing the above will prove it..

0
 

Author Comment

by:MiZN
Comment Utility
Thanks.
1. I changed port 21 to 221 on NAS also
2.
 !
interface Dialer0
 no ip access-group 101 in
!
doesn't help
3.
!
interface Dialer0
no  ip inspect DEFAULT100 out
!
interface BVI1
no ip access-group 100 in
!
doesn't help also
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 

Author Comment

by:MiZN
Comment Utility
Why router doesn't ping global address of NAS given by DynDNS, and PC does? My be reason is here?
0
 
LVL 12

Expert Comment

by:Steve
Comment Utility
which port is it plugged into ?

why are you running vlan2 ?

0
 

Author Comment

by:MiZN
Comment Utility
fe0 for Internet, fe1,2,3 for IPTV (one for TV, 2 and 3 for TV on Pcs)
vlan2 is lan for TV
0
 

Author Comment

by:MiZN
Comment Utility
It works! Earlier I tried to connect to FTP server using name1.dyndns.org from LOCAL network, without success. Now I connected to FTP from Internet. Config is as above.

But another question remains. I use dyndns clients on NAS (name1.dyndns.org) and on local PC (name2.dyndns.org). But I'd like to use builtin dyndns feature in IOS Cisco 877W. Can anybody advise?
0
 
LVL 12

Accepted Solution

by:
Steve earned 500 total points
Comment Utility
You'll have to open another question for that one..

0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

While it is possible to put two routes in place with the secondary having a higher metric, this may not always work. In the event of a failure that does not bring down the physical interface on the router the primary route is not removed. There is a…
We've been using the Cisco/Linksys RV042 for years as: - an internet Gateway - a site-to-site VPN device - a leased line site-to-site subnet-to-subnet interface (And, here I'm assuming that any RV0xx behaves the same way as an RV042.  So that's …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now