Solved: Re: FTP problems still...

jmartina · ‎07-18-2004

ok..I posted this last week, and i still can not get it to work, everything else works...but can't get ftp to work...does any one have a config i can compare?

here is entire config

Current configuration : 3170 bytes

!

version 12.2

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname router1

!

logging buffered 16384 debugging

enable secret 5

memory-size iomem 15

mmi polling-interval 60

no mmi auto-configure

no mmi pvc

mmi snmp-timeout 180

ip subnet-zero

no ip source-route

!

ip tcp path-mtu-discovery

!

ip dhcp pool dhcppool

import all

network 10.10.10.0 255.255.255.0

default-router 10.10.10.1

lease 7

!

no ip bootp server

ip audit attack action alarm reset

ip audit notify log

ip audit po max-events 100

ip cef

!

interface Ethernet0

ip address dhcp

ip access-group 100 in

ip access-group 101 out

no ip redirects

no ip unreachables

no ip proxy-arp

ip accounting access-violations

ip nat outside

half-duplex

ntp disable

no cdp enable

!

interface FastEthernet0

ip address 10.10.10.1 255.255.255.0

ip access-group 100 in

ip access-group 101 out

ip nat inside

speed auto

no cdp enable

!

ip nat inside source list 1 interface Ethernet0 overload

ip nat inside source static tcp 10.10.10.60 13015 interface Ethernet0 13015

ip nat inside source static tcp 10.10.10.60 13014 interface Ethernet0 13014

ip nat inside source static tcp 10.10.10.60 13013 interface Ethernet0 13013

ip nat inside source static tcp 10.10.10.60 13012 interface Ethernet0 13012

ip nat inside source static tcp 10.10.10.60 13011 interface Ethernet0 13011

ip nat inside source static tcp 10.10.10.60 13010 interface Ethernet0 13010

ip nat inside source static tcp 10.10.10.60 21 interface Ethernet0 21

ip nat inside source static tcp 10.10.10.60 20 interface Ethernet0 20

ip classless

no ip http server

ip pim bidir-enable

!

ip access-list extended internet-in

!

logging 10.10.10.66

access-list 1 permit 10.0.0.0 0.255.255.255 log

access-list 100 permit tcp any any established log

access-list 100 permit tcp any gt 1023 host 10.10.10.60 eq ftp-data log

access-list 100 permit tcp any gt 1023 host 10.10.10.60 eq ftp log

access-list 100 permit tcp any gt 1023 host 10.10.10.60 eq 1023 log

access-list 100 permit icmp any any net-unreachable

access-list 100 permit icmp any any host-unreachable

access-list 100 permit icmp any any port-unreachable

access-list 100 permit icmp any any parameter-problem

access-list 100 permit icmp any any packet-too-big

access-list 100 permit icmp any any administratively-prohibited

access-list 100 permit icmp any any source-quench

access-list 100 permit icmp any any echo-reply

access-list 100 permit ip any any log

access-list 101 permit ip any any log

access-list 101 permit tcp any any log

access-list 101 permit udp any any log

no cdp run

!

banner motd ^C

****************************

* WARNING *

****************************

!

line con 0

line aux 0

line vty 0 3

password 7

login

telnet refuse-negotiations

line vty 4

password 7

login

telnet refuse-negotiations

!

Harold Ritter · ‎07-19-2004

Yes, it was me indeed. Just checking if everything was working fine. It is working now ;o)

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

View solution in original post

Harold Ritter · ‎07-18-2004

A couple of things.

First, you should use the global address as part of the access-list not the local address (10.10.10.60). I know in your case the global address is the address dynamically assigned to FastEthernet0, so the easiest would be not to specify the address at all.

Secondly, you use the same inbound access-list (100) in both directions. Remember that the ACL is directional, meaning that source and destination will not be the same in the other direction. It is not a problem for now since you have an explicit permit any any at the end of the ACL but it might be later on.

Any reason why you need the apply an ACL on the internal interface (FastEthernet0) in the first place.

Hope this helps,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

jmartina · ‎07-18-2004

i applied it to the fa0 int for trouble shooting, i thought maybe since i had it applied to e0 i would need them applied to the other int too, guess not?

when you say global address you mean network ip ? 10.10.10.0 or 0.0.0.0 ?

jmartina · ‎07-18-2004

ok..i didnt read you post to closely the first time, here is the acl list now im running but its still not working, i do a port scan from sygate i have 21 open and 23 too, which i cannot figure out why its open i didnt say open 23....

access-list 1 permit 10.0.0.0 0.255.255.255 log

access-list 100 permit tcp any any established log

access-list 100 permit tcp any gt 1023 any eq ftp-data log

access-list 100 permit tcp any gt 1023 any eq ftp log

access-list 100 permit tcp any gt 1023 any eq 1023 log

access-list 100 permit icmp any any net-unreachable

access-list 100 permit icmp any any host-unreachable

access-list 100 permit icmp any any port-unreachable

access-list 100 permit icmp any any parameter-problem

access-list 100 permit icmp any any packet-too-big

access-list 100 permit icmp any any administratively-prohibited

access-list 100 permit icmp any any source-quench

access-list 100 permit icmp any any echo-reply

access-list 100 permit ip any any log

Harold Ritter · ‎07-18-2004

Port 23 is handle the local router as opposed to the server behind it.

Also bear in mind that the current list will not work for passive FTP from an external station to you internal FTP server. Try the same FTP to your internal server using regular FTP as opposed to passive FTP.

Hope this helps,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

Harold Ritter · ‎07-18-2004

If what you want to do is protecting you internal network from traffic coming from the Internet then only inbound ACL on Ethernet0 should do.

The global address is the address seen on the Internet when you NAT (in your case it is the address of the outside interface). The local address is the address known to your internal network (10.10.10.0).

Hope this helps,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

jmartina · ‎07-18-2004

ok...here it is is this right?

access-list 100 permit tcp any any established log

access-list 100 permit tcp any gt 1023 host 24.223.139.68 eq ftp-data log

access-list 100 permit tcp any gt 1023 host 24.223.139.68 eq ftp log

access-list 100 permit tcp any gt 1023 host 24.223.139.68 eq 1023 log

access-list 100 permit icmp any any net-unreachable

access-list 100 permit icmp any any host-unreachable

access-list 100 permit icmp any any port-unreachable

access-list 100 permit icmp any any parameter-problem

access-list 100 permit icmp any any packet-too-big

access-list 100 permit icmp any any administratively-prohibited

access-list 100 permit icmp any any source-quench

access-list 100 permit icmp any any echo-reply

access-list 100 permit ip any any log

Harold Ritter · ‎07-18-2004

This should be ok but bear in mind that since you get this address dynamically via DHCP it will change. That is why I said that it would be easier not to specify any destination address.

Also, could you tell me what is the following for:

access-list 100 permit tcp any gt 1023 host 24.223.139.68 eq 1023 log

Did you mean to configure "gt 1023" for passive FTP?

Thx,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

jmartina · ‎07-19-2004

yea i did actually i fixed it, hey here is my Nat translations maybe this will help....

Pro Inside global Inside local Outside local Outside global

udp 24.223.139.68:108 10.10.10.66:138 10.255.255.255:138 10.255.255.255:13

udp 24.223.139.68:137 10.10.10.60:137 10.255.255.255:137 10.255.255.255:13

udp 24.223.139.68:138 10.10.10.60:138 10.255.255.255:138 10.255.255.255:13

tcp 24.223.139.68:22411 10.10.10.60:22411 207.33.111.32:80 207.33.111.32:80

tcp 24.223.139.68:22416 10.10.10.60:22416 207.33.111.32:80 207.33.111.32:80

tcp 24.223.139.68:22417 10.10.10.60:22417 207.33.111.32:80 207.33.111.32:80

tcp 24.223.139.68:22412 10.10.10.60:22412 65.61.165.21:80 65.61.165.21:80

tcp 24.223.139.68:22413 10.10.10.60:22413 65.61.165.21:80 65.61.165.21:80

tcp 24.223.139.68:22414 10.10.10.60:22414 207.33.111.32:443 207.33.111.32:443

tcp 24.223.139.68:1166 10.10.10.66:1166 64.246.169.201:80 64.246.169.201:80

tcp 24.223.139.68:1167 10.10.10.66:1167 64.246.169.201:80 64.246.169.201:80

tcp 24.223.139.68:1316 10.10.10.66:1316 66.28.176.48:80 66.28.176.48:80

tcp 24.223.139.68:20 10.10.10.60:20 --- ---

tcp 24.223.139.68:21 10.10.10.60:21 --- ---

udp 24.223.139.68:1029 10.10.10.66:1029 207.69.188.185:53 207.69.188.185:53

tcp 24.223.139.68:20 10.10.10.60:20 207.33.111.37:43594 207.33.111.37:43

4

tcp 24.223.139.68:21 10.10.10.60:21 207.33.111.37:43594 207.33.111.37:43

4

tcp 24.223.139.68:1993 10.10.10.65:1993 207.46.106.149:1863 207.46.106.149:1

3

udp 24.223.139.68:137 10.10.10.60:137 192.168.0.10:137 192.168.0.10:137

tcp 24.223.139.68:22407 10.10.10.60:22407 216.239.41.104:80 216.239.41.104:80

tcp 24.223.139.68:22408 10.10.10.60:22408 216.239.41.104:80 216.239.41.104:80

Pro Inside global Inside local Outside local Outside global

tcp 24.223.139.68:22419 10.10.10.60:22419 216.239.41.104:80 216.239.41.104:80

tcp 24.223.139.68:20 10.10.10.60:20 207.33.111.35:44153 207.33.111.35:44

3

tcp 24.223.139.68:13010 10.10.10.60:13010 --- ---

tcp 24.223.139.68:21 10.10.10.60:21 207.33.111.35:44153 207.33.111.35:44

3

tcp 24.223.139.68:13011 10.10.10.60:13011 --- ---

tcp 24.223.139.68:13012 10.10.10.60:13012 --- ---

tcp 24.223.139.68:13013 10.10.10.60:13013 --- ---

tcp 24.223.139.68:13014 10.10.10.60:13014 --- ---

tcp 24.223.139.68:13015 10.10.10.60:13015 --- ---

tcp 24.223.139.68:4902 10.10.10.66:4902 81.0.254.167:80 81.0.254.167:80

tcp 24.223.139.68:4903 10.10.10.66:4903 81.0.254.167:80 81.0.254.167:80

tcp 24.223.139.68:22420 10.10.10.60:22420 216.45.19.33:80 216.45.19.33:80

tcp 24.223.139.68:22421 10.10.10.60:22421 216.45.19.33:80 216.45.19.33:80

tcp 24.223.139.68:22422 10.10.10.60:22422 216.45.19.33:80 216.45.19.33:80

tcp 24.223.139.68:22423 10.10.10.60:22423 216.45.19.33:80 216.45.19.33:80

Harold Ritter · ‎07-19-2004

Could you also please post the latest config including all the modifications.

Thx,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

jmartina · ‎07-19-2004