Internal users can't access ftp

ironmannut · ‎09-29-2004

I have internal users that are trying access ftp on the outside but they are unable to issue a dir,cd, etc. This happens both in IE and through the command prompt. The users can login but once they login then it hangs. When i remove the access list 100 everything works fine. Here is my access-list,its very basic which is why i don't understand why its not working.

access-list 100 permit tcp any host x.x.x.x eq telnet log-input

access-list 100 permit tcp any any established log-input

access-list 100 permit udp any eq domain any log-input

access-list 100 permit icmp any any log-input

access-list 100 deny ip any any log-input

access-list 100 deny gre any any log-input

I would have thought the permite tcp any any established log-input would of done the trick but it still isn't working. The router is a cisco 1720. I fyou anybody has any ideas, i would greatly appricate it.

mheusinger · ‎09-29-2004

Hi, do they use active or passive FTP?

As you might know, FTP uses two ports 20 and 21.

You start connecting to 21 and then all data is sent over port 20 with active FTP. This might have to do with ACL or with NAT in place.

Did you try to change between active/passive FTP (f.e. in IE settings)?

Be also aware that FTP might not work at all, when Server and Client are behind a NAT device.

Hope this helps

Martin

smif101 · ‎09-29-2004

Add the following commands to your access-list

access-list 100 permit tcp any any eq ftp

access-list 100 permit tcp any any eq ftp-data

ironmannut · ‎09-29-2004

So i tried adding what you said and still no luck. I still can't issue a ls or dir on from the command propmt or IE. Could it be the router, its a cisco 1720? Here is my config file. Any suggestions would be great!

INDIA#sh run

Building configuration...

Current configuration : 1470 bytes

!

version 12.1

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname TEST

!

logging history warnings

enable secret 5 $1$0UyM$57/j4QiyBqAIgovElckGY0

!

memory-size iomem 25

ip subnet-zero

ip name-server x.x.x.x

!

interface Serial0

description To ISP

ip address x.x.x.x 255.255.255.252

ip access-group 100 in

ip access-group 4 out

ip nat outside

load-interval 30

!

interface FastEthernet0

ip address 192.168.100.60 255.255.255.0

ip access-group 2 in

ip access-group 3 out

no ip unreachables

ip nat inside

load-interval 30

speed auto

!

ip nat pool isp-natpool-1 x.x.x.x x.x.x.x netmask 255.255.255.24

0

ip nat inside source list 1 pool isp-natpool-1 overload

ip classless

ip route 0.0.0.0 0.0.0.0 x.x.x.x

no ip http server

!

access-list 1 permit 192.168.100.0 0.0.0.255 log

access-list 1 deny any log

access-list 2 permit any log

access-list 3 permit any log

access-list 4 permit any log

access-list 100 permit tcp any host x.x.x.x eq telnet log-input

access-list 100 permit tcp any host x.x.x.x eq 3389 log-input

access-list 100 permit tcp any any established log-input

access-list 100 permit tcp any any eq ftp

access-list 100 permit tcp any any eq ftp-data

access-list 100 permit udp any eq domain any log-input

access-list 100 permit icmp any any log-input

snmp-server community techhpl RO

!

line con 0

line aux 0

line vty 0 4

password xxxxxx

login

mheusinger · ‎09-30-2004

Hi, did you try passive FTP? Typically you use active FTP from the commandline in MS environment. You can however change the IE to use passive FTP.

The new additions to your access-list will not help you, because there is no active dynamic NAT translation for the FTP server response (see also RFC 1579 ftp://ftp.rfc-editor.org/in-notes/rfc1579.txt ). This is why the packets will not be delivered to the endstations.

Finally you could have a software bug. However the config above uses only very basic features so I would definately test the behaviour with passive FTP first.

Last idea: did you try with one FTP server or several? Just to avoid problems coming from "misbehaving" FTP servers.

regards

Martin

ironmannut · ‎09-30-2004

Martin thanks for the reply.

I tried your suggestions with passive FTP but still no luck. I even tried other ftp sites and everytime i issue a dir it hangs. Do you think it might be a bug in the ios... if so should i download a newer version and apply it? Please let know if you have any suggestions.

Harold Ritter · ‎10-01-2004

The mix of "access-list 100 permit tcp any any established log-input" and passive FTP from internal users usually works fine since passive FTP forces the data session to be established from the clients rather than the server. From the workstation, can you verify that both the control and data sessions are established.

Thanks,

Regards,
Harold Ritter, CCIE #4168 (EI, SP)

gaban · ‎10-01-2004

I think you last resort is to try you access list one at a time and see what will fix. I would be curious to know.

goodluck.

rjackson · ‎10-01-2004

when you issue any command your pc opens a connection to the server on the command port and sends the command. The server then opens a connection back to your pc on the data port to send the response to the command. In other words, in normal ftp you have to be able to open connections both directions.

The passive mode described earlier tells the server to tell the pc what source ports the pc should use so that it can open both connections, the command and data connections. Passive mode is the normal way to get ftp working through firewalls and edge routers. It doesnt soun d like your test with passive mode was done correctly.

Try opening one more hole in the access list to allow inbound connections to (or from, not sure which) port 20. If it works then your passive test wasn't correct.

Harold Ritter · ‎10-01-2004

If you look at the previous posting, te ACL entry that allows sessions established from the inside to come back in is already there:

access-list 100 permit tcp any any established log-input

Hope this helps,

Regards,
Harold Ritter, CCIE #4168 (EI, SP)