Routers
--
Questions
--
Followers
Top Experts
FTP EPSV and PASV Cisco 851 to Private server
We have a Cisco 851 and a FTP server behind it. Connections to FTP are working except for one client which is trying to connect via ESPV mode. I don't know why they are not using PASV(BTP).
We have the old FTP server with a public IP and the new with Private. All connection attempts going through 851 to the private IP via EPSV mode fail but all going to the public FTP via ESPV connect ok and I don't know why.
Our initial config was is NATing to the private IP and all clients work but this one. I have tried this config with no luck.
I applied this ACL 102 to the outside interface coming in(if I am wording this right).
ip nat inside source static tcp 192.168.1.25 21 interface FastEthernet4 21
!
logging trap debugging
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 102 permit tcp host 216.99.113.nnn host 192.168.1.25 eq ftp log
access-list 102 permit tcp host 216.99.113.nnn host 192.168.1.25 eq ftp-data log
access-list 102 permit tcp host 216.99.113.nnn host 192.168.1.25 gt 5000 log
access-list 102 permit ip any any
The 216.99.113 subnet is the public side and 192.168.1.25 is the FTP server.
When I sh access-list after this is applied, there are NO matches. So this tells me my ACL is wrong.
We have the old FTP server with a public IP and the new with Private. All connection attempts going through 851 to the private IP via EPSV mode fail but all going to the public FTP via ESPV connect ok and I don't know why.
Our initial config was is NATing to the private IP and all clients work but this one. I have tried this config with no luck.
I applied this ACL 102 to the outside interface coming in(if I am wording this right).
ip nat inside source static tcp 192.168.1.25 21 interface FastEthernet4 21
!
logging trap debugging
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 102 permit tcp host 216.99.113.nnn host 192.168.1.25 eq ftp log
access-list 102 permit tcp host 216.99.113.nnn host 192.168.1.25 eq ftp-data log
access-list 102 permit tcp host 216.99.113.nnn host 192.168.1.25 gt 5000 log
access-list 102 permit ip any any
The 216.99.113 subnet is the public side and 192.168.1.25 is the FTP server.
When I sh access-list after this is applied, there are NO matches. So this tells me my ACL is wrong.
Zero AI Policy
We believe in human intelligence. Our moderation policy strictly prohibits the use of LLM content in our Q&A threads.
instead of
access-list 102 permit tcp host 216.99.113.nnn host 192.168.1.25 eq ftp log
try
access-list 102 permit tcp any  host 216.99.113.nnn eq ftp log
do you have the FTP inspect ?
ip inspect name ios-inspect ftp
access-list 102 permit tcp host 216.99.113.nnn host 192.168.1.25 eq ftp log
try
access-list 102 permit tcp any  host 216.99.113.nnn eq ftp log
do you have the FTP inspect ?
ip inspect name ios-inspect ftp
I have read a little on the ip inspect and looks to be a little like an ACL. When I make the changes to my ACL102, then create the inspect, I would apply this outbound correct? I figured since my ACL102 is controlling inbound.
apologies, the above inpect line goes in global config, then on the external interface add
ip inspect ios-inspect in
ip inspect ios-inspect in
EARN REWARDS FOR ASKING, ANSWERING, AND MORE.
Earn free swag for participating on the platform.
ArneLovius: thank you for your help.
I wanted to ask, from some configs I have seen with inspect and FTP/EPSV, they had applied some in and others out. In my situation, when the EPSV connection tries it fails, but PASV will connect, so does this apply the same?
I am thinking, my remote connections are making it in but something goes wrong on the way out.
I can call it what ever I like, correct, where you have iso-inspect......
ip inspect name FTP-inspect in
Sorry for so many questions, but this is a live box.
I wanted to ask, from some configs I have seen with inspect and FTP/EPSV, they had applied some in and others out. In my situation, when the EPSV connection tries it fails, but PASV will connect, so does this apply the same?
I am thinking, my remote connections are making it in but something goes wrong on the way out.
I can call it what ever I like, correct, where you have iso-inspect......
ip inspect name FTP-inspect in
Sorry for so many questions, but this is a live box.
I would use a generic name just in case you add any other inspect rules.
Ok, I will try this tomorrow, as people are still working now. I will follow up, after I test. Other than testing an FTP connection, are there other means to verify correct configuration, like logs?
Get a FREE t-shirt when you ask your first question.
We believe in human intelligence. Our moderation policy strictly prohibits the use of LLM content in our Q&A threads.
Neither application worked and nothing is being logged to ftp-data......
10 permit tcp any host 216.99.113.nnn eq ftp log (28 matches)
20 permit tcp any host 216.99.113.nnn eq ftp-data log
30 permit tcp any host 216.99.113.nnn gt 5000 log (445 matches)
inspect in
* Connect data stream passively
<Â 229 Entering Extended Passive Mode (|||4012|).
* Â Trying 216.99.113.nnn... * Connection refused
* couldn't connect to host
* got positive EPSV response, but can't connect. Disabling EPSV
>Â PASV
<Â 227 Entering Passive Mode (216,99,113,250,38,45).
* Â Trying 216.99.113.nnn... * connected
inspect out
* Entry path is '/'
>Â EPSV
* Connect data stream passively
<Â 229 Entering Extended Passive Mode (|||8632|).
* Â Trying 216.99.113.nnn... * Connection refused
* couldn't connect to host
* got positive EPSV response, but can't connect. Disabling EPSV
>Â PASV
10 permit tcp any host 216.99.113.nnn eq ftp log (28 matches)
20 permit tcp any host 216.99.113.nnn eq ftp-data log
30 permit tcp any host 216.99.113.nnn gt 5000 log (445 matches)
inspect in
* Connect data stream passively
<Â 229 Entering Extended Passive Mode (|||4012|).
* Â Trying 216.99.113.nnn... * Connection refused
* couldn't connect to host
* got positive EPSV response, but can't connect. Disabling EPSV
>Â PASV
<Â 227 Entering Passive Mode (216,99,113,250,38,45).
* Â Trying 216.99.113.nnn... * connected
inspect out
* Entry path is '/'
>Â EPSV
* Connect data stream passively
<Â 229 Entering Extended Passive Mode (|||8632|).
* Â Trying 216.99.113.nnn... * Connection refused
* couldn't connect to host
* got positive EPSV response, but can't connect. Disabling EPSV
>Â PASV
Can you post the output from "show ver" on the router
R1#sh ver
Cisco IOS Software, C850 Software (C850-ADVSECURITYK9-M), Version 12.4(4)T7, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2006 by Cisco Systems, Inc.
Compiled Wed 29-Nov-06 00:37 by kellythw
ROM: System Bootstrap, Version 12.3(8r)YI3, RELEASE SOFTWARE
wtcox uptime is 2 days, 14 hours, 25 minutes
System returned to ROM by Reload Command
System image file is "flash:c850-advsecurityk9-
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
export@cisco.com.
Cisco 851 (MPC8272) processor (revision 0x200) with 59392K/6144K bytes of memory.
Processor board ID FHK11091269
MPC8272 CPU Rev: Part Number 0xC, Mask Number 0x10
5 FastEthernet interfaces
128K bytes of non-volatile configuration memory.
20480K bytes of processor board System flash (Intel Strataflash)
Configuration register is 0x2102
Cisco IOS Software, C850 Software (C850-ADVSECURITYK9-M), Version 12.4(4)T7, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2006 by Cisco Systems, Inc.
Compiled Wed 29-Nov-06 00:37 by kellythw
ROM: System Bootstrap, Version 12.3(8r)YI3, RELEASE SOFTWARE
wtcox uptime is 2 days, 14 hours, 25 minutes
System returned to ROM by Reload Command
System image file is "flash:c850-advsecurityk9-
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
export@cisco.com.
Cisco 851 (MPC8272) processor (revision 0x200) with 59392K/6144K bytes of memory.
Processor board ID FHK11091269
MPC8272 CPU Rev: Part Number 0xC, Mask Number 0x10
5 FastEthernet interfaces
128K bytes of non-volatile configuration memory.
20480K bytes of processor board System flash (Intel Strataflash)
Configuration register is 0x2102
EARN REWARDS FOR ASKING, ANSWERING, AND MORE.
Earn free swag for participating on the platform.
I've found some references to epsv here but its using ZBF on IOS XE which isn't the same as IOS on an 857
do you have the capability of specifying which ports to use for PASV/EPSV ports on your FTP server ?
If you do I would be tempted to open inbound traffic to those ports, otherwise I think you're out of luck.
do you have the capability of specifying which ports to use for PASV/EPSV ports on your FTP server ?
If you do I would be tempted to open inbound traffic to those ports, otherwise I think you're out of luck.
From the start of this problem, I saw where you could start with 1024 - 35562(?) so the Server admin told me he had opened/assigned those to be available.
The reason I keep after this is, as long as we bypass the 851, EPSV connection work fine. It's just going through it, is when it fails.
The reason I keep after this is, as long as we bypass the 851, EPSV connection work fine. It's just going through it, is when it fails.
ASKER CERTIFIED SOLUTION
membership
Log in or create a free account to see answer.
Signing up is free and takes 30 seconds. No credit card required.
not what I was looking for but will have to do.
Get a FREE t-shirt when you ask your first question.
We believe in human intelligence. Our moderation policy strictly prohibits the use of LLM content in our Q&A threads.
Routers
--
Questions
--
Followers
Top Experts
A router is a networking device that forwards data packets between computer networks. Routers perform the "traffic directing" functions on the Internet. The most familiar type of routers are home and small office cable or DSL routers that simply pass data, such as web pages, email, IM, and videos between computers and the Internet. More sophisticated routers, such as enterprise routers, connect large business or ISP networks up to the powerful core routers that forward data at high speed along the optical fiber lines of the Internet backbone. Though routers are typically dedicated hardware devices, use of software-based routers has grown increasingly common.