Solved: Can not connect with FTP server using NAT.

conectividade · ‎03-16-2005

Hi, folks!

One machine (ftp client) in the net 200.2.2.0, with ip 200.2.2.222 needs to connect

with a FTP server out there, using the ip nat 201.1.1.222, but, that can not connect.

Using an acl in log, in interface serial I saw the server answering to request of connect.

Using another acl out log, in interface fas0/1 I can not see the answer of server, I can

not see if nat was did.

why?

What's wrong?

What can I do?

To put this machine in another net, 201.1.1.0 is so difficult!

Look, one interface of router has ip 201.1.1.1.

!

interface FastEthernet0/0

ip address 201.1.1.1 255.255.255.0

no cdp enable

!

interface FastEthernet0/1

ip address 200.2.2.2 255.255.255.0

ip nat inside

no cdp enable

!

interface Serial0/0

description INTERNET

ip address 100.100.100.30 255.255.255.252

ip nat outside

no cdp enable

!

ip nat inside source static 200.2.2.222 201.1.1.222

no ip http server

!

thanks in advance,

Renato

Georg Pauwen · ‎03-17-2005

Hello Renato,

also it shouldn't make a difference, since your access list allows everything with the last statement, try and add the following to your access list:

access-list 103 permit tcp any any established

access-list 103 permit tcp any eq ftp host 201.1.1.222 log

--> access-list 103 permit tcp any eq ftp-data host 201.1.1.222 log

access-list 103 permit tcp any eq ftp host 200.2.2.222 log

--> access-list 103 permit tcp any eq ftp-data host 200.2.2.222 log

access-list 103 permit tcp any any range 0 65365 log

access-list 103 permit udp any any range 0 65365

access-list 103 permit icmp any any log

access-list 103 permit ip any any log

Also, try to remove the access list alltogether and see if that makes a difference...

Regards,

GP

View solution in original post

Georg Pauwen · ‎03-16-2005

Hello Renato,

try and add the following to your configuration:

ip nat inside source static tcp 200.2.2.222 20 201.1.1.222 20 extendable

ip nat inside source static tcp 200.2.2.222 21 201.1.1.222 21 extendable

This is for both ports FTP uses (20 and 21).

Regards,

GP

conectividade · ‎03-16-2005

GP,

It does not work, do you known what version of IOS

has this new function?

The version of our router is C2691-JS-M Version 12.3(9a).

2691(config)#ip nat inside source static 200.2.2.222 20 201.1.1.222 20 extendable

^

% Invalid input detected at '^' marker.

thanks,

Renato

Georg Pauwen · ‎03-16-2005

Hello Renato,

I think you got the syntax wrong:

ip nat inside source static tcp 200.2.2.222 20 201.1.1.222 20 extendable

I think you forgot to specify the protocol, tcp in this case...

Regards,

GP

conectividade · ‎03-17-2005

Hi GP,

I did that cfg, look below:

ip nat inside source static tcp 200.2.2.222 20 201.1.1.22 20 extendable

ip nat inside source static tcp 200.2.2.222 21 201.1.1.22 21 extendable

ip nat inside source static 200.2.2.222 201.1.1.222

And this did not work.

I saw the answer of ftp server in interface serial:

%SEC-6-IPACCESSLOGP: list 103 permitted tcp 192.18.108.40(21) -> 201.1.1.222(37781), 1 packet.

But I did not see this in interfaces fas.

Any other idea to help us?

thanks,

Renato

Georg Pauwen · ‎03-17-2005

Hello,

what does your access list 103 look like ? Can you post the configuration of the router where access list 103 is configured ?

Regards,

GP

conectividade · ‎03-17-2005

GP,

I only use this to watch, look acl 103:

access-list 103 permit tcp any any established

access-list 103 permit tcp any eq ftp host 201.1.1.222 log

access-list 103 permit tcp any eq ftp host 200.2.2.222 log

access-list 103 permit tcp any any range 0 65365 log

access-list 103 permit udp any any range 0 65365

access-list 103 permit icmp any any log

access-list 103 permit ip any any log

!

interface Serial0/0

description INTERNET

ip address 100.100.100.30 255.255.255.252

ip access-group 103 in

ip nat outside

no cdp enable

I started a debug ip nat, that show me:

Mar 17 11:44:19.882: NAT: s=192.18.108.40, d=201.1.1.222->200.2.2.222 [29486]

Mar 17 11:44:20.066: NAT: s=192.18.108.40, d=201.1.1.222->200.2.2.222 [29487]

Mar 17 11:44:20.854: NAT: s=192.18.108.40, d=201.1.1.222->200.2.2.222 [29488]

Mar 17 11:44:21.050: NAT: s=192.18.108.40, d=201.1.1.222->200.2.2.222 [29489]

thanks,

Renato

Georg Pauwen · ‎03-17-2005

Hello Renato,

also it shouldn't make a difference, since your access list allows everything with the last statement, try and add the following to your access list:

access-list 103 permit tcp any any established

access-list 103 permit tcp any eq ftp host 201.1.1.222 log

--> access-list 103 permit tcp any eq ftp-data host 201.1.1.222 log

access-list 103 permit tcp any eq ftp host 200.2.2.222 log

--> access-list 103 permit tcp any eq ftp-data host 200.2.2.222 log

access-list 103 permit tcp any any range 0 65365 log

access-list 103 permit udp any any range 0 65365

access-list 103 permit icmp any any log

access-list 103 permit ip any any log

Also, try to remove the access list alltogether and see if that makes a difference...

Regards,

GP

conectividade · ‎03-21-2005

Hello GP,

when I tried to connect with 192.18.108.40, I received msg: connection closed by remote host.

I did connect with anothers FTP servers and I received a prompt of user (ftp.iof.mg.gov.br and ftp.rfc-editor.org). So I connected, not logged, but connected.

What can I do to connect with FTP server 192.18.108.40?

thanks,

Renato