Solved

Cannot access external websites that use FTP

Posted on 2013-01-11
14
257 Views
Last Modified: 2013-02-02
hello,

I am having an issue where I cannot access certain files on websites. It looks as though the files are accessed via ftp. Could my router be blocking it. I have a Cisco 2801 router acting as a firewall. Here is my config:

Current configuration : 12313 bytes

!

version 12.4

service timestamps debug datetime localtime

service timestamps log datetime localtime show-timezone

service password-encryption

!

hostname -2801

!

boot-start-marker

boot-end-marker

!

logging message-counter syslog

logging buffered 4096

!

aaa new-model

!

!

aaa authentication login userauthen group radius local

aaa authorization network groupauthor local

!

!

aaa session-id common

clock timezone est -5

clock summer-time zone recurring last Sun Mar 2:00 1 Sun Nov 2:00

dot11 syslog

ip source-route

!

!

ip dhcp excluded-address 172.19.3.129 172.19.3.149

ip dhcp excluded-address 172.19.10.1 172.19.10.253

ip dhcp excluded-address 172.19.3.140

ip dhcp excluded-address 172.19.3.133

ip dhcp ping timeout 900

!

ip dhcp pool DHCP

   network 172.19.3.128 255.255.255.128

   default-router 172.19.3.129

   domain-name domain.local

   netbios-name-server 172.19.3.7

   option 66 ascii 172.19.3.225

   dns-server 172.19.3.140 208.67.220.220 208.67.222.222

!

ip dhcp pool VoiceDHCP

   network 172.19.10.0 255.255.255.0

   default-router 172.19.10.1

   dns-server 208.67.220.220 8.8.8.8

   option 66 ascii 172.19.10.2

   lease 2

!

!

ip cef

ip inspect name SDM_LOW cuseeme

ip inspect name SDM_LOW dns

ip inspect name SDM_LOW ftp

ip inspect name SDM_LOW h323

ip inspect name SDM_LOW https

ip inspect name SDM_LOW icmp

ip inspect name SDM_LOW imap

ip inspect name SDM_LOW pop3

ip inspect name SDM_LOW netshow

ip inspect name SDM_LOW rcmd

ip inspect name SDM_LOW realaudio

ip inspect name SDM_LOW rtsp

ip inspect name SDM_LOW esmtp

ip inspect name SDM_LOW sqlnet

ip inspect name SDM_LOW streamworks

ip inspect name SDM_LOW tftp

ip inspect name SDM_LOW tcp

ip inspect name SDM_LOW udp

ip inspect name SDM_LOW vdolive

no ip domain lookup

ip domain name domain.local

!

multilink bundle-name authenticated

!

!

!

key chain key1

key 1

   key-string 7 06040033484B1B484557

!

crypto pki trustpoint TP-self-signed-3448656681

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-3448656681

revocation-check none

rsakeypair TP-self-signed-3448656681

!

!

 

!

!

username admin privilege 15 password

archive

log config

  hidekeys

!

!

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key xxxxx address XXXXXXX

crypto isakmp key XXXXXXX address XXXXXXX

crypto isakmp keepalive 40 5

crypto isakmp nat keepalive 20

!

crypto isakmp client configuration group VPN

key XXXXXXX

dns 172.19.3.140

wins 172.19.3.140

domain domain.local

pool VPN_Pool

acl 198

crypto isakmp profile VPNClient

   description VPN clients profile

   match identity group VPN

   client authentication list userauthen

   isakmp authorization list groupauthor

   client configuration address respond

!

!

crypto ipsec transform-set myset esp-3des esp-md5-hmac

!

crypto dynamic-map Dynamic 5

set transform-set myset

set isakmp-profile VPNClient

qos pre-classify

!

!

crypto map VPN 10 ipsec-isakmp

set peer XXXXXXX

set transform-set myset

match address 101

qos pre-classify

crypto map VPN 20 ipsec-isakmp

! Incomplete

set peer XXXXXXX

set transform-set myset

match address 103

crypto map VPN 65535 ipsec-isakmp dynamic Dynamic

!

!

!

!

track 123 ip sla 1 reachability

delay down 15 up 10

!

class-map match-any VoiceTraffic

match protocol rtp audio

match protocol h323

match protocol rtcp

match access-group name VOIP

match protocol sip

class-map match-any RDP

match access-group 199

!

!

policy-map QOS

class VoiceTraffic

    bandwidth 512

class RDP

    bandwidth 768

policy-map MainQOS

class class-default

    shape average 1500000

  service-policy QOS

!

!

!

!

interface FastEthernet0/0

description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$$FW_INSIDE$

ip address 172.19.3.129 255.255.255.128

ip inspect SDM_LOW in

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet0/0.10

description $ETH-VoiceVLAN$$

encapsulation dot1Q 10

ip address 172.19.10.1 255.255.255.0

ip inspect SDM_LOW in

ip nat inside

ip virtual-reassembly

!

interface FastEthernet0/1

description "Comcast"

ip address Public IP 255.255.255.248

ip access-group 102 in

ip inspect SDM_LOW out

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto map VPN

!

interface Serial0/1/0

description "Verizon LEC Site ID"

bandwidth 1536

no ip address

encapsulation frame-relay IETF

frame-relay lmi-type ansi

!

interface Serial0/1/0.1 point-to-point

bandwidth 1536

ip address XXXXXXX 255.255.255.252

ip access-group 102 in

ip verify unicast reverse-path

ip inspect SDM_LOW out

ip nat outside

ip virtual-reassembly

frame-relay interface-dlci 500 IETF  

crypto map VPN

service-policy output MainQOS

!

interface Serial0/2/0

description "Verizon ID) "

ip address XXXXXXX 255.255.255.252

ip access-group 102 in

ip inspect SDM_LOW out

ip nat outside

ip virtual-reassembly

encapsulation ppp

crypto map VPN

service-policy output MainQOS

!

ip local pool VPN_Pool 172.20.3.130 172.20.3.254

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 XXXXXXX track 123

ip route 0.0.0.0 0.0.0.0 XXXXXXX 254

ip route 107.0.197.20 255.255.255.255 XXXXXXX

ip route 208.67.220.220 255.255.255.255 XXXXXXX

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip flow-top-talkers

top 20

sort-by bytes

!

ip nat inside source route-map COMCAST interface FastEthernet0/1 overload

ip nat inside source route-map PAE interface Serial0/2/0 overload

ip nat inside source route-map VERIZON interface Serial0/1/0.1 overload

ip nat inside source static 172.19.3.133 50.78.233.106

!

ip access-list extended VOIP

permit ip 172.20.3.0 0.0.0.127 host 172.19.3.190

permit ip host 172.19.3.190 172.20.3.0 0.0.0.127

!

ip radius source-interface FastEthernet0/0

ip sla 1

icmp-echo 208.67.220.220 source-interface FastEthernet0/1

timeout 10000

frequency 15

ip sla schedule 1 life forever start-time now

access-list 23 permit 172.19.3.0 0.0.0.127

access-list 23 permit 172.19.3.128 0.0.0.127

access-list 23 permit 173.189.251.192 0.0.0.63

access-list 23 permit 107.0.197.0 0.0.0.63

access-list 23 permit 173.163.157.32 0.0.0.15

access-list 23 permit 72.55.33.0 0.0.0.255

access-list 23 permit 172.19.5.0 0.0.0.63

access-list 100 remark "Outgoing Traffic"

access-list 100 remark CCP_ACL Category=17

access-list 100 deny   ip 67.128.87.156 0.0.0.3 any

access-list 100 deny   ip host 255.255.255.255 any

access-list 100 deny   ip 127.0.0.0 0.255.255.255 any

access-list 100 permit tcp host 172.19.3.190 any eq smtp

access-list 100 permit tcp host 172.19.3.137 any eq smtp

access-list 100 permit tcp any host 66.251.35.131 eq smtp

access-list 100 permit tcp any host 173.201.193.101 eq smtp

access-list 100 permit tcp any any eq ftp

access-list 100 permit ip any any

access-list 101 permit ip 172.19.3.128 0.0.0.127 172.19.3.0 0.0.0.127

access-list 101 permit ip 172.20.3.128 0.0.0.127 172.19.3.0 0.0.0.127

access-list 101 permit ip 172.19.3.128 0.0.0.127 host 172.19.250.10

access-list 101 permit ip 172.19.3.128 0.0.0.127 host 172.19.250.11

access-list 101 permit tcp any any eq ftp

access-list 101 permit tcp any any eq ftp-data

access-list 101 permit ip 172.19.3.128 0.0.0.127 host 172.19.5.64

access-list 101 permit ip 172.19.3.128 0.0.0.127 172.19.5.64 0.0.0.63

access-list 102 remark CCP_ACL Category=17

access-list 102 permit ip any host 50.78.233.106

access-list 102 remark "Inbound Access"

access-list 102 permit udp any host XXXXXXX eq non500-isakmp

access-list 102 permit udp any host XXXXXXX eq isakmp

access-list 102 permit esp any host XXXXXXX

access-list 102 permit ahp any host XXXXXXX

access-list 102 permit udp any host XXXXXXX eq non500-isakmp

access-list 102 permit esp any host XXXXXXX

access-list 102 permit ahp any host XXXXXXX

access-list 102 permit udp any host Public IP eq non500-isakmp

access-list 102 permit udp any host Public IP eq isakmp

access-list 102 permit esp any host Public IP

access-list 102 permit ahp any host Public IP

access-list 102 permit ip 72.55.33.0 0.0.0.255 any

access-list 102 permit ip 107.0.197.0 0.0.0.63 any

access-list 102 deny   ip 172.19.3.128 0.0.0.127 any

access-list 102 permit icmp any any echo-reply

access-list 102 permit icmp any any time-exceeded

access-list 102 permit icmp any any unreachable

access-list 102 remark ftp

access-list 102 permit tcp any any eq ftp

access-list 102 remark FTP Data

access-list 102 permit tcp any any eq ftp-data

access-list 102 permit icmp any any

access-list 102 permit udp any host XXXXXXX eq non500-isakmp

access-list 102 permit udp any host XXXXXXX eq isakmp

access-list 102 permit esp any host XXXXXXX

access-list 102 permit ahp any host XXXXXXX

access-list 102 deny   ip any any log

access-list 110 deny   ip 172.19.3.128 0.0.0.127 172.19.5.0 0.0.0.63

access-list 110 deny   ip 172.19.3.128 0.0.0.127 172.19.5.64 0.0.0.63

access-list 110 remark "Outbound NAT Rule"

access-list 110 remark "Deny VPN Traffic NAT"

access-list 110 deny   ip 172.19.3.128 0.0.0.127 172.19.3.0 0.0.0.127

access-list 110 deny   ip 172.19.3.128 0.0.0.127 172.19.10.0 0.0.0.255

access-list 110 deny   ip 172.19.10.0 0.0.0.255 172.19.3.128 0.0.0.127

access-list 110 deny   ip 172.20.3.128 0.0.0.127 172.19.3.0 0.0.0.127

access-list 110 deny   ip 172.19.3.128 0.0.0.127 172.20.3.128 0.0.0.127

access-list 110 deny   ip 172.19.3.128 0.0.0.127 host 172.19.250.11

access-list 110 deny   ip 172.19.3.128 0.0.0.127 host 172.19.250.10

access-list 110 permit ip 172.19.3.128 0.0.0.127 any

access-list 110 permit ip 172.19.10.0 0.0.0.255 any

access-list 198 remark "Networks for VPN Client"

access-list 198 permit ip 172.19.3.0 0.0.0.127 172.20.3.128 0.0.0.127

access-list 198 permit ip 172.19.3.128 0.0.0.127 172.20.3.128 0.0.0.127

access-list 199 permit tcp any any eq 3389

!

!

!

route-map PAE permit 10

match ip address 110

match interface Serial0/2/0

!

route-map COMCAST permit 10

match ip address 110

match interface FastEthernet0/1

!

route-map VERIZON permit 10

match ip address 110

match interface Serial0/1/0.1

!

!

snmp-server community RO

radius-server host 172.19.3.7 auth-port 1645 acct-port 1646 key 7 060506324F411F090B464058

!

control-plane

!

!

line con 0

line aux 0

line vty 0 4

access-class 23 in

privilege level 15

transport input telnet ssh

line vty 5 15

access-class 23 in

privilege level 15

transport input telnet ssh

!

scheduler allocate 20000 1000

ntp server 128.118.25.3

ntp server 217.150.242.8

end

 

-2801#exit

Open in new window

0
Comment
Question by:argroup
  • 8
  • 6
14 Comments
 
LVL 20

Expert Comment

by:agonza07
ID: 38768338
try removing "ip inspect SDM_LOW in" from your internal interfaces to see if that helps.
0
 

Author Comment

by:argroup
ID: 38774681
I will try that although, I thought that it was a pretty standard option.
0
 

Author Comment

by:argroup
ID: 38775090
Do you know what SDM_LOW in does?
0
 
LVL 20

Expert Comment

by:agonza07
ID: 38775248
This should help explain it.

https://learningnetwork.cisco.com/thread/13408

On basic firewalls, I've only seen it applied on the outbound interface only, unless you are zoning, which I didnt see any of that in your config.
0
 

Author Comment

by:argroup
ID: 38776859
Ive made that change, but I am still unable to connect to FTP sites.
0
 
LVL 20

Expert Comment

by:agonza07
ID: 38776874
Remove this line.

ip inspect name SDM_LOW ftp
0
 

Author Comment

by:argroup
ID: 38776880
How do I remove it if its a global value?
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 20

Expert Comment

by:agonza07
ID: 38776886
config t
no ip inspect name SDM_LOW ftp
0
 

Author Comment

by:argroup
ID: 38776903
Still no joy, something is still blocking it.
0
 

Author Comment

by:argroup
ID: 38778842
Are there any logging tools that I can use on the cisco device. There must be something that I can trace packets on the router.
0
 
LVL 20

Expert Comment

by:agonza07
ID: 38778989
You can try to Wireshark it. But looks like you ruled out CBAC. Next would be to try and rule out the access lists.
0
 

Accepted Solution

by:
argroup earned 0 total points
ID: 38784680
I still have an ip inspect SDM_LOW out applied to me FastEthernet0/1 interface. Would that be causing an issue?
0
 
LVL 20

Expert Comment

by:agonza07
ID: 38785131
You can try and remove it just to test it out. I doubt it'll make much difference.

You'll need to sniff the traffic to see what is really going on.
0
 

Author Closing Comment

by:argroup
ID: 38846373
We found the issue elsewhere
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Problem Description:   Couple of months ago we upgraded the ADSL line at our branch office from Home to Business line. The purpose of transforming the service to have static public IP’s. We were in need for public IP’s to publish our web resour…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now