Solved: FTP port map issue

blin · ‎09-02-2004

I am trying to open port 21 on router 831 for accessing FTP server. I added the fllowing two lines.

access-list 10 permit 171.16.5.2

ip port-map ftp port 21 list 10

But can telnet it. When double-checking the configuration, I don't have "ip port-map ftp port 21 list 10" line. I added it agian without error but the line doesn't show. Here is the configuration. Any suggestions?

version 12.3

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname ciscodmz

!

security authentication failure rate 3 log

security passwords min-length 6

logging buffered 51200 debugging

logging console critical

enable secret 5 $1$o0ko$hXk18FTwq076pCcnKY0LY1

!

username ciscodmz privilege 15 password 7 00071A1507545A545C

clock timezone America/Regina -6

no aaa new-model

ip subnet-zero

no ip source-route

ip tcp synwait-time 10

ip domain name cisco.com

ip name-server 4.2.2.1

ip dhcp excluded-address 172.16.5.1 172.16.5.5

!

ip dhcp pool sdm-pool1

network 172.16.5.0 255.255.255.0

default-router 172.16.5.1

!

no ip bootp server

ip cef

ip audit notify log

ip audit po max-events 100

ip ssh time-out 60

ip ssh authentication-retries 2

no ftp-server write-enable

!

interface Ethernet0

description $FW_INSIDE$$ETH-LAN$

ip address 172.16.5.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip route-cache flow

no cdp enable

!

interface Ethernet1

description $FW_OUTSIDE$$ETH-WAN$

ip address 68.17.43.208 255.255.255.224

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip route-cache flow

duplex auto

no cdp enable

!

interface FastEthernet1

no ip address

duplex auto

speed auto

!

interface FastEthernet2

no ip address

duplex auto

speed auto

!

interface FastEthernet3

no ip address

duplex auto

speed auto

!

interface FastEthernet4

no ip address

duplex auto

speed auto

!

ip nat inside source list 1 interface Ethernet1 overload

ip classless

ip route 0.0.0.0 0.0.0.0 68.17.43.193 permanent

ip http server

ip http authentication local

ip http secure-server

!

logging trap debugging

logging 172.16.5.1

access-list 1 permit 172.16.5.0 0.0.0.255

access-list 10 permit 172.16.5.2

no cdp run

route-map SDM_RMAP_1 permit 1

match ip address 120

!

banner login ^CCCAuthorized access only!

Disconnect IMMEDIATELY if you are not an authorized user!^C

!

line con 0

login local

no modem enable

transport output telnet

line aux 0

login local

transport output telnet

line vty 0 4

privilege level 15

login local

!

scheduler max-task-time 5000

scheduler interval 500

!

end

ciscodmz#

Richard Burts · ‎09-07-2004

Yes if this is what you want to do then the term you used and the command that you used (ip port-map) were not correct.

If you want FTP coming in to the router to a public IP address to be forwarded from the router to a private IP address, then I think a static NAT translation would be the answer that you need.

HTH

Rick

HTH

Rick

View solution in original post

Richard Burts · ‎09-02-2004

What IOS are you running on the router (both release level and feature set). Are you sure that this code supports that feature? I have seen similar behaviors when a command is entered that this particular version of IOS did not support: you can enter the command, the IOS does not generate an error message, but the command is not applied in the running-config.

HTH

Rick

HTH

Rick

blin · ‎09-02-2004

it is version 12.3.

Richard Burts · ‎09-02-2004

12.3, but what feature set? Without knowing what feature set it is impossible to be sure whether the feature is supported on your platform.

Rick

HTH

Rick

blin · ‎09-03-2004

Hi Rick,

I am not Cisco extert. Wher can I find feature set?

thanks.

Richard Burts · ‎09-03-2004

There is an indicator of the feature set in the file name that Cisco gives the IOS. If you post the results of show version and of show flash we should be able to tell what feature set you are running.

HTH

Rick

HTH

Rick

blin · ‎09-03-2004

Ok, here are show version and show flash. What feature set do we have?

ciscodmz#show version

Cisco Internetwork Operating System Software

IOS (tm) C831 Software (C831-K9O3Y6-M), Version 12.3(2)XC, EARLY DEPLOYMENT RELE

ASE SOFTWARE (fc1)

Synched to technology version 12.3(1.6)T

TAC Support: http://www.cisco.com/tac

Compiled Thu 25-Sep-03 09:06 by ealyon

Image text-base: 0x800131E8, data-base: 0x80AE4BD4

ROM: System Bootstrap, Version 12.2(8r)YN, RELEASE SOFTWARE (fc1)

ROM: C831 Software (C831-K9O3Y6-M), Version 12.3(2)XC, EARLY DEPLOYMENT RELEASE

SOFTWARE (fc1)

ciscodmz uptime is 1 day, 2 hours, 45 minutes

System returned to ROM by power-on

System image file is "flash:c831-k9o3y6-mz.123-2.XC.bin"

This product contains cryptographic features and is subject to United

States and local country laws governing import, export, transfer and

use. Delivery of Cisco cryptographic products does not imply

third-party authority to import, export, distribute or use encryption.

Importers, exporters, distributors and users are responsible for

compliance with U.S. and local country laws. By using this product you

agree to comply with applicable laws and regulations. If you are unable

to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:

http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to

export@cisco.com.

CISCO C831 (MPC857DSL) processor (revision 0x300) with 44237K/4915K bytes of mem

ory.

Processor board ID AMB08030B4L (4240108561), with hardware revision 0000

CPU rev number 7

Bridging software.

2 Ethernet/IEEE 802.3 interface(s)

4 FastEthernet/IEEE 802.3 interface(s)

128K bytes of non-volatile configuration memory.

12288K bytes of processor board System flash (Read/Write)

2048K bytes of processor board Web flash (Read/Write)

Configuration register is 0x2102

ciscodmz#show flash

System flash directory:

File Length Name/status

1 5637500 c831-k9o3y6-mz.123-2.XC.bin

2 1790 sdmconfig-83x.cfg

3 16264 sdm.shtml

4 16264 sdm.shtml.hide

5 3176448 sdm.tar

6 1462 home.html

7 1462 home.html.hide

8 216064 home.tar

9 42 SDMupload [deleted]

10 46 SDMupload [deleted]

[9067992 bytes used, 3252776 available, 12320768 total]

12288K bytes of processor board System flash (Read/Write)

ciscodmz#

Richard Burts · ‎09-03-2004

Thanks for posting this. I have looked at the issue again and think that I understand it better and have found an answer. I think the issue is that you were attempting to use port-map to define FTP. FTP is a system defined mapping. I found a statement in the documentation for ip port-map that indicates that you can not redefine the system defined mappings. Here is what the documentation says:

The Cisco IOS Firewall CBAC feature requires the system-defined mapping information to function properly. System-defined mapping information cannot be deleted or changed; that is, you cannot map HTTP services to port 21 (FTP) or FTP services to port 80 (HTTP).

At this point I am confused about what you were trying to do. Why were you attempting to do port-map for FTP? Is there any sign that FTP is not working other than the fact that you do not see the command that you entered show up in running-config?

HTH

Rick

HTH

Rick

blin · ‎09-07-2004

Hi rick,

Thank you for the details. Perhaps, I used incorrect term. What I want is port forwarding from a public ip to a private IP. For example, when poeple access the public ip port 21, it will point to the private ip port 21. How do I configure that?

Richard Burts · ‎09-07-2004

Yes if this is what you want to do then the term you used and the command that you used (ip port-map) were not correct.

If you want FTP coming in to the router to a public IP address to be forwarded from the router to a private IP address, then I think a static NAT translation would be the answer that you need.

HTH

Rick

HTH

Rick

blin · ‎09-07-2004

Hi Rick,

It works af adding the following line.

ip nat inside source static tcp 172.16.5.2 21 interface ethernet 1 21

thank you very much.

Kevin Dorrell · ‎09-07-2004

BTW, the reason why the line didn't appear in your config: the command "ip port-map" is used to re-map the ports associated with certain applications. The default port for the FTP service is already 21, so "ip port-map ftp port 21 ..." is already the default, and so does not appear in the config.

Kevin Dorrell

Luxembourg

blin · ‎09-08-2004

Hi Kevin,

Thank you for the tip. This is very helpful.