09-02-2004 08:59 AM - edited 03-09-2019 08:41 AM
I am trying to open port 21 on router 831 for accessing FTP server. I added the fllowing two lines.
access-list 10 permit 171.16.5.2
ip port-map ftp port 21 list 10
But can telnet it. When double-checking the configuration, I don't have "ip port-map ftp port 21 list 10" line. I added it agian without error but the line doesn't show. Here is the configuration. Any suggestions?
version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname ciscodmz
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$o0ko$hXk18FTwq076pCcnKY0LY1
!
username ciscodmz privilege 15 password 7 00071A1507545A545C
clock timezone America/Regina -6
no aaa new-model
ip subnet-zero
no ip source-route
ip tcp synwait-time 10
ip domain name cisco.com
ip name-server 4.2.2.1
ip dhcp excluded-address 172.16.5.1 172.16.5.5
!
ip dhcp pool sdm-pool1
network 172.16.5.0 255.255.255.0
default-router 172.16.5.1
!
!
no ip bootp server
ip cef
ip audit notify log
ip audit po max-events 100
ip ssh time-out 60
ip ssh authentication-retries 2
no ftp-server write-enable
!
!
!
!
!
!
!
interface Ethernet0
description $FW_INSIDE$$ETH-LAN$
ip address 172.16.5.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip route-cache flow
no cdp enable
!
interface Ethernet1
description $FW_OUTSIDE$$ETH-WAN$
ip address 68.17.43.208 255.255.255.224
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip route-cache flow
duplex auto
no cdp enable
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet2
no ip address
duplex auto
speed auto
!
interface FastEthernet3
no ip address
duplex auto
speed auto
!
interface FastEthernet4
no ip address
duplex auto
speed auto
!
ip nat inside source list 1 interface Ethernet1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 68.17.43.193 permanent
ip http server
ip http authentication local
ip http secure-server
!
logging trap debugging
logging 172.16.5.1
access-list 1 permit 172.16.5.0 0.0.0.255
access-list 10 permit 172.16.5.2
no cdp run
route-map SDM_RMAP_1 permit 1
match ip address 120
!
banner login ^CCCAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
no modem enable
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
login local
!
scheduler max-task-time 5000
scheduler interval 500
!
end
ciscodmz#
Solved! Go to Solution.
09-07-2004 07:30 AM
Yes if this is what you want to do then the term you used and the command that you used (ip port-map) were not correct.
If you want FTP coming in to the router to a public IP address to be forwarded from the router to a private IP address, then I think a static NAT translation would be the answer that you need.
HTH
Rick
09-02-2004 10:31 AM
What IOS are you running on the router (both release level and feature set). Are you sure that this code supports that feature? I have seen similar behaviors when a command is entered that this particular version of IOS did not support: you can enter the command, the IOS does not generate an error message, but the command is not applied in the running-config.
HTH
Rick
09-02-2004 11:44 AM
it is version 12.3.
09-02-2004 02:21 PM
12.3, but what feature set? Without knowing what feature set it is impossible to be sure whether the feature is supported on your platform.
Rick
09-03-2004 06:22 AM
Hi Rick,
I am not Cisco extert. Wher can I find feature set?
thanks.
09-03-2004 09:58 AM
There is an indicator of the feature set in the file name that Cisco gives the IOS. If you post the results of show version and of show flash we should be able to tell what feature set you are running.
HTH
Rick
09-03-2004 10:46 AM
Ok, here are show version and show flash. What feature set do we have?
ciscodmz#show version
Cisco Internetwork Operating System Software
IOS (tm) C831 Software (C831-K9O3Y6-M), Version 12.3(2)XC, EARLY DEPLOYMENT RELE
ASE SOFTWARE (fc1)
Synched to technology version 12.3(1.6)T
TAC Support: http://www.cisco.com/tac
Copyright (c) 1986-2003 by cisco Systems, Inc.
Compiled Thu 25-Sep-03 09:06 by ealyon
Image text-base: 0x800131E8, data-base: 0x80AE4BD4
ROM: System Bootstrap, Version 12.2(8r)YN, RELEASE SOFTWARE (fc1)
ROM: C831 Software (C831-K9O3Y6-M), Version 12.3(2)XC, EARLY DEPLOYMENT RELEASE
SOFTWARE (fc1)
ciscodmz uptime is 1 day, 2 hours, 45 minutes
System returned to ROM by power-on
System image file is "flash:c831-k9o3y6-mz.123-2.XC.bin"
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
CISCO C831 (MPC857DSL) processor (revision 0x300) with 44237K/4915K bytes of mem
ory.
Processor board ID AMB08030B4L (4240108561), with hardware revision 0000
CPU rev number 7
Bridging software.
2 Ethernet/IEEE 802.3 interface(s)
4 FastEthernet/IEEE 802.3 interface(s)
128K bytes of non-volatile configuration memory.
12288K bytes of processor board System flash (Read/Write)
2048K bytes of processor board Web flash (Read/Write)
Configuration register is 0x2102
ciscodmz#show flash
System flash directory:
File Length Name/status
1 5637500 c831-k9o3y6-mz.123-2.XC.bin
2 1790 sdmconfig-83x.cfg
3 16264 sdm.shtml
4 16264 sdm.shtml.hide
5 3176448 sdm.tar
6 1462 home.html
7 1462 home.html.hide
8 216064 home.tar
9 42 SDMupload [deleted]
10 46 SDMupload [deleted]
[9067992 bytes used, 3252776 available, 12320768 total]
12288K bytes of processor board System flash (Read/Write)
ciscodmz#
09-03-2004 02:46 PM
Thanks for posting this. I have looked at the issue again and think that I understand it better and have found an answer. I think the issue is that you were attempting to use port-map to define FTP. FTP is a system defined mapping. I found a statement in the documentation for ip port-map that indicates that you can not redefine the system defined mappings. Here is what the documentation says:
The Cisco IOS Firewall CBAC feature requires the system-defined mapping information to function properly. System-defined mapping information cannot be deleted or changed; that is, you cannot map HTTP services to port 21 (FTP) or FTP services to port 80 (HTTP).
At this point I am confused about what you were trying to do. Why were you attempting to do port-map for FTP? Is there any sign that FTP is not working other than the fact that you do not see the command that you entered show up in running-config?
HTH
Rick
09-07-2004 06:24 AM
Hi rick,
Thank you for the details. Perhaps, I used incorrect term. What I want is port forwarding from a public ip to a private IP. For example, when poeple access the public ip port 21, it will point to the private ip port 21. How do I configure that?
09-07-2004 07:30 AM
Yes if this is what you want to do then the term you used and the command that you used (ip port-map) were not correct.
If you want FTP coming in to the router to a public IP address to be forwarded from the router to a private IP address, then I think a static NAT translation would be the answer that you need.
HTH
Rick
09-07-2004 07:52 AM
Hi Rick,
It works af adding the following line.
ip nat inside source static tcp 172.16.5.2 21 interface ethernet 1 21
thank you very much.
09-07-2004 11:25 PM
BTW, the reason why the line didn't appear in your config: the command "ip port-map" is used to re-map the ports associated with certain applications. The default port for the FTP service is already 21, so "ip port-map ftp port 21 ..." is already the default, and so does not appear in the config.
Kevin Dorrell
Luxembourg
09-08-2004 06:35 AM
Hi Kevin,
Thank you for the tip. This is very helpful.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide