Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1662
Views
4
Helpful
5
Replies

How to allow ftp connections from external users through Cisco 2951?

Go to solution
Vishal.Seetal
Level 1
Level 1

‎12-15-2011 05:29 PM - edited ‎03-04-2019 02:39 PM

Hi guys,

I would like to solicitate your help  so as to configure my router. I have a Cisco 2951 and I've been trying in vain to configure it so as to allow ftp connections through the router from external users.

Here is what I've done so far:

1. I created a firewall on the router

2. I configured NAT so as to allow external users to connect to my ftp server via my public address

3. I then modified the firewall policy and added new rules so as to allow configured Object groups to connect to the ftp server in the LAN. The Action here is Inspect and the service is ftp.

I then tried to connect to the ftp from the outside but it didn't work. I played with the parameters and tried different things. DIdn't work either. I think the above configs should be enough to allow incoming connection from the outside but why is it not working?I'm confused.

Can somebody please help?

Thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Reza Sharifi
Hall of Fame
Hall of Fame

‎12-15-2011 06:00 PM

Hi,

Can you post the output of "sh run" from the 2951?

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Reza Sharifi
Hall of Fame
Hall of Fame

‎12-15-2011 06:00 PM

Hi,

Can you post the output of "sh run" from the 2951?

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎12-15-2011 06:14 PM

Hello Chundunsing,

Yes, please follow Reza request that would help us troubleshooting this firewall issue.Seems like you are running CBAC.

Just to let you know you have applied a Inspect FTP in the inside users so if they innitiate the connection the additional channels (ports) need by FTP to transfer data will be open dynamicly with no need of ACL on the outside allowing that connection.

But if what you want to do is to allow communication from the users on the outside (starting the connection) you will need to allow with an ACL on the outside (inbound direction) the packets going to the FTP server because that session is not being inspected.

Please rate helpful posts.

Have a good night.

Julio!!

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Go to solution
Vishal.Seetal
Level 1
Level 1
In response to Julio Carvajal

‎12-15-2011 07:01 PM

Hi Julio,

Indeed you are right. I need to configure a rule to allow outside users to connect to the internal ftp server. Well, I have done that already.Don't know if there is something missing though. I am using zone-based firewall on the router. Please see the following screenshot.

What do you think is missing?

Thanks.

0 Helpful

Go to solution
Vishal.Seetal
Level 1
Level 1
In response to Julio Carvajal

‎12-15-2011 07:03 PM

Hi Julio,

Indeed you are right. I need to configure a rule to allow outside users to connect to the internal ftp server. Well, I have done that already.Don't know if there is something missing though. I am using zone-based firewall on the router. Please see the following screenshot.

What do you think is missing?

Thanks.

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to Vishal.Seetal

‎12-15-2011 08:28 PM

Hello,

So it is a ZBFW implementation.

Can you post your router configuration, I would like to see the Nat statement.

The Policy-inspection seems to be the one required for this setup.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Customers Also Viewed These Support Documents