03-11-2007 06:12 PM - edited 03-11-2019 02:44 AM
Hi,
I am a Cisco newbie, :). And I really need your help or direction. I am trying to setup a ftp server using Windows XP Pro. This server has a static local ip, and this local ip is Natted to a public IP on my router. The router has configuration with vpn, firewall... If I vpn in from the internet, I can connect, transfer data to my ftp server using the local ip without problems. But If I disconnect the vpn, and try to connect to the ftp server using the public IP, I can login without problem. However, if I try to list, transfer....data from/to my ftp server, it just hang on me. I guess there are something missing with my firewall configurations, and it just keep blocking the service. I did search a lot for did issue, but all I find is exactly what I have: nat the local ip to public, then grant access to ftp port and ftp-data port on the public ip. I am at loss now, and I am not sure where to start. Below is some config from my router and the problems when I am trying to connect to my ftp site using dos prompt. I thank you in advance. Any help or direction would be greatly appreciated.
partial configuration from Cisco 2811 router:
--------------------------------------
ip cef
ip port-map ftp port tcp 20
ip inspect name FW tcp
ip inspect name FW udp
ip inspect name FW icmp
ip inspect name FW h323
ip inspect name FW rcmd
ip inspect name FW realaudio
ip inspect name FW smtp
ip inspect name FW sqlnet
ip inspect name FW streamworks
ip inspect name FW tftp
ip inspect name FW vdolive
ip inspect name FW ftp
ip nat inside source static local.ftp.server.ip public.ip route-map t1-map
access-list 111 permit tcp any host public.ip eq ftp
access-list 111 permit tcp any host public.ip eq ftp-data
cisco2811#show ip port-map ftp
Default mapping: ftp tcp port 21 syste
m defined
Default mapping: ftp tcp port 20 user
defined
--------------------------------------
From Dos Prompt trying to connect to FTP Site
C:\>ftp public.ip
Connected to public.ip
220-Microsoft FTP Service
220 PTS FTP SITE
User (public.ip:(none)): user
331 Password required for user.
Password:
230-WELCOME TO PTS FTP SITE.
230 User user logged in.
ftp> ls
200 PORT command successful.
150 Opening ASCII mode data connection for file list.
425 Can't open data connection.
From Dos Prompt trying to connect to FTP Site with (quote PASV)
C:\>ftp public.ip
Connected to public.ip
220-Microsoft FTP Service
220 PTS FTP SITE
User (public.ip:(none)): user
331 Password required for user.
Password:
230-WELCOME TO PTS FTP SITE.
230 User user logged in.
ftp> quote PASV
227 Entering Passive Mode (public.ip,19,137).
ftp> ls
200 PORT command successful.
150 Opening ASCII mode data connection for file list.
425 Can't open data connection.
Solved! Go to Solution.
03-22-2007 06:45 AM
Hi,
I actually have this same problem. I am trying to setup an FTP server behind our Cisco 2811 Firewall to allow our clients to transfer files to our server. The problem with using Active FTP is that if the client who is trying to connect to the FTP server is also behind a firewall, the connection will be blocked by their firewall. Of course when using Passive FTP, it gets blocked by our firewall.
Active FTP
In active mode FTP the client connects from a random unprivileged port (N > 1023) to the FTP server's command port, port 21. Then, the client starts listening to port N+1 and sends the FTP command PORT N+1 to the FTP server. The server will then connect back to the client's specified data port from its local data port, which is port 20.
From the server-side firewall's standpoint, to support active mode FTP the following communication channels need to be opened:
? FTP server's port 21 from anywhere (Client initiates connection)
? FTP server's port 21 to ports > 1023 (Server responds to client's control port)
? FTP server's port 20 to ports > 1023 (Server initiates data connection to client's data port)
? FTP server's port 20 from ports > 1023 (Client sends ACKs to server's data port)
The main problem with active mode FTP actually falls on the client side. The FTP client doesn't make the actual connection to the data port of the server--it simply tells the server what port it is listening on and the server connects back to the specified port on the client. From the client side firewall this appears to be an outside system initiating a connection to an internal client--something that is usually blocked.
Passive FTP
In order to resolve the issue of the server initiating the connection to the client a different method for FTP connections was developed. This was known as passive mode, or PASV, after the command used by the client to tell the server it is in passive mode.
In passive mode FTP the client initiates both connections to the server, solving the problem of firewalls filtering the incoming data port connection to the client from the server. When opening an FTP connection, the client opens two random unprivileged ports locally (N > 1023 and N+1). The first port contacts the server on port 21, but instead of then issuing a PORT command and allowing the server to connect back to its data port, the client will issue the PASV command. The result of this is that the server then opens a random unprivileged port (P > 1023) and sends the PORT P command back to the client. The client then initiates the connection from port N+1 to port P on the server to transfer data.
From the server-side firewall's standpoint, to support passive mode FTP the following communication channels need to be opened:
? FTP server's port 21 from anywhere (Client initiates connection)
? FTP server's port 21 to ports > 1023 (Server responds to client's control port)
? FTP server's ports > 1023 from anywhere (Client initiates data connection to random port specified by server)
? FTP server's ports > 1023 to remote ports > 1023 (Server sends ACKs (and data) to client's data port)
Now, I realize that I can probably easily fix this problem by applying the following entries to our Firewall:
Permit tcp any host (External IP) eq ftp
Permit tcp any host (External IP) gt 1023
But the problem is this opens up thousands of ports to everyone. Is there way to avoid having to do this with the IOS Firewall?
03-22-2007 07:57 AM
enable the inspection engine for ftp.
03-22-2007 08:12 AM
Here's what I currently have configured on my router:
ip inspect name APP_FIREWALL ftp
ip nat inside source static tcp (Internal IP) 21 interface FastEthernet0/0 21
ip access-list extended FIREWALL
permit tcp any host (External IP) eq ftp
permit tcp any host (External IP) eq ftp-data
permit tcp any host (External IP) established
I'm using CoreFtp as the client, and I have tested this from home and it works if I set the client to use Active mode when it connects, but it does not work when I set the client to use Passive mode because the Firewall blocks the connection. The client is able to make the initial connection on port 21, however, when the client switches over to a random port, the firewall then blocks it.
03-22-2007 08:45 AM
for passive ftp,you would have to open up all the ports on the outside interface.
permit tcp any host (External IP)
03-16-2007 09:38 AM
Try to use active FTP , it may works. also check this bug-id:CSCsg37315, which related to IOS Firwall.
03-20-2007 07:07 PM
Hi, Thank you for your response. How do I set active ftp in my router?
About the bug-id:CSCsg37315, I could find anything. Could you point out a link somewhere. Again, thank you for your reply.
PL
03-22-2007 06:45 AM
Hi,
I actually have this same problem. I am trying to setup an FTP server behind our Cisco 2811 Firewall to allow our clients to transfer files to our server. The problem with using Active FTP is that if the client who is trying to connect to the FTP server is also behind a firewall, the connection will be blocked by their firewall. Of course when using Passive FTP, it gets blocked by our firewall.
Active FTP
In active mode FTP the client connects from a random unprivileged port (N > 1023) to the FTP server's command port, port 21. Then, the client starts listening to port N+1 and sends the FTP command PORT N+1 to the FTP server. The server will then connect back to the client's specified data port from its local data port, which is port 20.
From the server-side firewall's standpoint, to support active mode FTP the following communication channels need to be opened:
? FTP server's port 21 from anywhere (Client initiates connection)
? FTP server's port 21 to ports > 1023 (Server responds to client's control port)
? FTP server's port 20 to ports > 1023 (Server initiates data connection to client's data port)
? FTP server's port 20 from ports > 1023 (Client sends ACKs to server's data port)
The main problem with active mode FTP actually falls on the client side. The FTP client doesn't make the actual connection to the data port of the server--it simply tells the server what port it is listening on and the server connects back to the specified port on the client. From the client side firewall this appears to be an outside system initiating a connection to an internal client--something that is usually blocked.
Passive FTP
In order to resolve the issue of the server initiating the connection to the client a different method for FTP connections was developed. This was known as passive mode, or PASV, after the command used by the client to tell the server it is in passive mode.
In passive mode FTP the client initiates both connections to the server, solving the problem of firewalls filtering the incoming data port connection to the client from the server. When opening an FTP connection, the client opens two random unprivileged ports locally (N > 1023 and N+1). The first port contacts the server on port 21, but instead of then issuing a PORT command and allowing the server to connect back to its data port, the client will issue the PASV command. The result of this is that the server then opens a random unprivileged port (P > 1023) and sends the PORT P command back to the client. The client then initiates the connection from port N+1 to port P on the server to transfer data.
From the server-side firewall's standpoint, to support passive mode FTP the following communication channels need to be opened:
? FTP server's port 21 from anywhere (Client initiates connection)
? FTP server's port 21 to ports > 1023 (Server responds to client's control port)
? FTP server's ports > 1023 from anywhere (Client initiates data connection to random port specified by server)
? FTP server's ports > 1023 to remote ports > 1023 (Server sends ACKs (and data) to client's data port)
Now, I realize that I can probably easily fix this problem by applying the following entries to our Firewall:
Permit tcp any host (External IP) eq ftp
Permit tcp any host (External IP) gt 1023
But the problem is this opens up thousands of ports to everyone. Is there way to avoid having to do this with the IOS Firewall?
03-22-2007 07:57 AM
enable the inspection engine for ftp.
03-22-2007 08:12 AM
Here's what I currently have configured on my router:
ip inspect name APP_FIREWALL ftp
ip nat inside source static tcp (Internal IP) 21 interface FastEthernet0/0 21
ip access-list extended FIREWALL
permit tcp any host (External IP) eq ftp
permit tcp any host (External IP) eq ftp-data
permit tcp any host (External IP) established
I'm using CoreFtp as the client, and I have tested this from home and it works if I set the client to use Active mode when it connects, but it does not work when I set the client to use Passive mode because the Firewall blocks the connection. The client is able to make the initial connection on port 21, however, when the client switches over to a random port, the firewall then blocks it.
03-22-2007 08:45 AM
for passive ftp,you would have to open up all the ports on the outside interface.
permit tcp any host (External IP)
04-16-2007 09:43 PM
Hi,
Thank you for all your helps. my server is running now. Again, you guys are the best. Thanks.
PL
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide