02-02-2004 01:55 PM - edited 03-02-2019 01:18 PM
Hey:
I know other people having the same problem, with non-Cisco routers. We have a 2621, running an FTP/email server in a DMZ. Every now and then - sometimes twice a day, sometimes once a week - access gets blocked to the FTP server. Clients can login, but cannot get directory listings or transfer files. Restarting the server doesn't fix it, but restarting the router does. I've read posts regarding something called "fixup ftp" but don't know if it applies to us. Any ideas would be appreciated.
Barry Long
02-03-2004 12:44 PM
Hello Barry,
What software do you run on the 2621?
You might have an issue with NAT; you could have a nat pool that is overflowing. If this could be the case depends on how many users and how your NAT is configured. We have too little info to draw conclusions yet. When the issue occurs again, instead of rebooting, try to issue the command: clear ip nat tra *
This clears the nat table. (and kills all sessions) If this also solves the problem, you might have a clue as where to start looking.
Fixup commands are typically for the PIX firewall and the IOS with FW feature set(not sure about that last one). This might not apply to you.
Regards,
Leo
02-04-2004 07:44 AM
Leo,
Thanks for looking into this. Here is the Software version info:
Cisco Internetwork Operating System Software
IOS (tm) C2600 Software (C2600-DO3S-M), Version 12.0(5)XK1, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)
TAC:Home:SW:IOS:Specials for info
Copyright (c) 1986-1999 by cisco Systems, Inc.
Compiled Tue 14-Sep-99 15:30 by jjgreen
Image text-base: 0x80008088, data-base: 0x80CE0BDC
ROM: System Bootstrap, Version 11.3(2)XA4, RELEASE SOFTWARE (fc1)
ROM: C2600 Software (C2600-DO3S-M), Version 12.0(5)XK1, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)
Here is the configuration we run (with passwords and IP addresses X'd out) The FTP Server is running in, you guessed it, the appletalk zone called "FTPServer". If you have to have the IP #s to following what's going on, let me know. See the note I inserted about the NAT Pool:
Building configuration...
Current configuration:
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname XXXXXXX
!
enable password XXXXXXX
!
!
!
!
!
ip subnet-zero
no ip source-route
ip name-server XXX.XXX.X.X
ip name-server XXX.XXX.X.X
ip name-server XXX.XXX.X.X
!
ip inspect name myfirewall tcp
ip inspect name myfirewall udp
ip inspect name myfirewall http java-list 3 audit-trail on
ip inspect name myfirewall ftp
ip audit notify log
ip audit po max-events 100
appletalk routing
!
!
!
process-max-time 200
!
interface FastEthernet0/0
ip address XXX.XXX.X.X
no ip directed-broadcast
ip nat inside
no ip route-cache
no ip mroute-cache
no keepalive
speed 100
full-duplex
appletalk cable-range 5-5 5.247
appletalk zone graphic
no cdp enable
!
interface Serial0/0
ip address XXX.XXX.X.X
ip access-group 101 in
no ip directed-broadcast
ip nat outside
ip inspect myfirewall in
no ip route-cache
no ip mroute-cache
no cdp enable
!
interface FastEthernet0/1
ip address XXX.XXX.X.X
no ip directed-broadcast
ip nat inside
no ip route-cache
no ip mroute-cache
no keepalive
speed 100
full-duplex
appletalk cable-range 6-6 6.139
appletalk zone FTPServer
no cdp enable
!
interface Ethernet1/0
ip address XXX.XXX.X.X
ip access-group 110 in
no ip directed-broadcast
ip nat inside
no ip route-cache
no ip mroute-cache
no keepalive
no cdp enable
!
*****Below is the NAT Pool info, the following two numbers are the same*********
ip nat pool pool1 XXX.XXX.XXX.6 XXX.XXX.XXX.6 netmask 255.255.255.0
ip nat inside source list 12 pool pool1 overload
ip nat inside source static (IP of FTP Server) XXX.XXX.XXX.5 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX
no ip http server
!
access-list 3 permit any
access-list 12 permit (IPs for "graphic" zone)
access-list 12 permit (IPs for "FTPServer zone)
access-list 12 permit (IPs for Admininstration LAN)
access-list 101 permit tcp any eq pop3 (IPs for Admin LAN)
access-list 101 permit tcp any eq smtp (IPs for Admin LAN)
access-list 101 permit tcp any eq www (IPs for Admin LAN)
access-list 101 permit tcp any eq 443 (IPs for Admin LAN)
access-list 101 deny ip any (IPs for Admin LAN)
access-list 101 permit udp any any gt 1024
access-list 101 permit tcp any any gt 1024
access-list 101 permit udp any eq domain any
access-list 101 permit udp any any eq domain
access-list 101 permit tcp any any eq domain
access-list 101 permit tcp any any eq telnet
access-list 101 permit tcp any host XXX.XXX.XXX.5 eq smtp
access-list 101 permit tcp any host XXX.XXX.XXX.5 eq ftp
access-list 101 permit tcp any host XXX.XXX.XXX.5 eq ftp-data
access-list 101 permit icmp any any echo-reply
access-list 101 permit tcp any any established
access-list 101 deny ip any any log
access-list 110 permit tcp (IPs for Admin LAN) any eq pop3
access-list 110 permit tcp (IPs for Admin LAN) any eq smtp
access-list 110 permit ip (IPs for Admin LAN) any
access-list 110 permit udp (IPs for Admin LAN) any eq domain
access-list 110 permit icmp any any
access-list 110 deny ip (IPs for Admin LAN) any log
no cdp run
!
line con 0
exec-timeout 0 0
transport input none
line aux 0
line vty 0 4
password XXXXXX
login
Barry
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide