Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
22807
Views
0
Helpful
8
Replies

NAT problem - Can't FTP, port 21 is open

ashgaming
Level 1
Level 1

‎08-24-2011 03:45 AM - edited ‎03-04-2019 01:23 PM

Hi,

I have a strange problem, I have opened port 21 on my internet facing router however I'm able to use FTP. I get error in FileZilla: "Connection attempt failed. Connection attempt timed out"

Everything works fine and I can FTP if I delete and add again following records in NAT.

ip nat inside source static tcp 192.168.1.13 21 x.x.x.x 21 extendable

ip nat inside source static udp 192.168.1.13 21 x.x.x.x 21 extendable

Am I doing something wrong, do I have to configure on my router something else in order to give FTP access?

Kind Regards

Lukasz

Labels:
0 Helpful
8 Replies 8

Peter Paluch
Cisco Employee
Cisco Employee

‎08-24-2011 04:05 AM

Hello Lukasz,

FTP opens two TCP ports (UDP is not used). The port 21 is for commands. The another port is for the transferred data itself, and historically, there are two methods of determining that port:

  • Active FTP, in which the client opens the port TCP/20, and the external server connects to this port and starts sending/receiving data as appropriate.
  • Passive FTP, in which the server opens a high TCP port, tells about this port to the client. The client then connects to this port and server starts sending/receiving data as appropriate.

The IOS should take care of enabling this communication over NAT if you open the port 21, however, there may be another features on your router that prevent this communication. Are you running any kind of firewall?

In addition, have you tried reconfiguring the FileZilla for both active and passive FTP operation? Does any of it work?

Best regards,

Peter

0 Helpful

ashgaming
Level 1
Level 1
In response to Peter Paluch

‎09-01-2011 03:14 PM

I've tried both ftp modes in filezila but still no luck. I have both ports 20/21 opened and it works for couple of hours then stops. I've also tried to restart IIS but still the same I can FTP to this server internaly from my office network.

Regards,

Lukasz

0 Helpful

cadet alain
VIP Alumni
VIP Alumni

‎08-24-2011 04:11 AM

Hi,

which ftp mode are you using? have you got firewall or ACLs configured if so could post config.

Regards.

Alain.

Don't forget to rate helpful posts.
0 Helpful

Marwan ALshawi
VIP Alumni
VIP Alumni

‎08-24-2011 04:17 AM

are you using active or passive FTP int the server ?

tyr to use the bellow ACLs example based on the FTP type used 

ip access-list extended FROM_OUTSIDE
! Active FTP
permit tcp any host  x.x.x.x 21 range ftp-data ftp
! Passive FTP
permit tcp any host  x.x.x.x 21 eq ftp
permit tcp any host  x.x.x.x 21 range 1023 65535
 
 also u need port 20 in the NAT + 21
0 Helpful

ashgaming
Level 1
Level 1
In response to Marwan ALshawi

‎09-01-2011 03:12 PM

Hi,

I've tried to set up the router with your advice however it didn't work.

I'm probably doing something wrong, would you be able to write it step by step what I should do in order to open ftp port.

My internal ftp server ip is 192.168.1.13, my public IP addres is i.e. 1.2.3.4, this IP is assigned to int fa04 on my router.

Best regards,

Lukasz

0 Helpful

Marwan ALshawi
VIP Alumni
VIP Alumni
In response to ashgaming

‎09-01-2011 05:14 PM

can you post you current router config

0 Helpful

ashgaming
Level 1
Level 1
In response to Marwan ALshawi

‎09-02-2011 10:03 AM

NAT configuration:

ip nat inside source static tcp 192.168.1.213 20 62.7.74.91 20 extendable

ip nat inside source static tcp 192.168.1.213 21 62.7.74.91 21 extendable

ACL configuration:

Extended IP access list 102

    10 permit tcp any host 1.2.3.4 range ftp-data ftp (230 matches)

    20 permit tcp any host 1.2.3.4 eq ftp

    30 permit tcp any host 1.2.3.4 range 1023 65535 (2252 matches)

    40 permit ip any any (22488719 matches)

!interface fa04

ip access-group 102 in

0 Helpful

ashgaming
Level 1
Level 1

‎08-25-2011 08:53 AM

Thank you all for your advice,

I have enabled both ports 21 and 20 in NAT and I can connected to FTP however after few hours something happens on my router and I can't access FTP unless I readd both ports to NAT.

Below my existing NAT configuration:

ip nat inside source static tcp 192.168.1.13 21 1.2.3.4 21 extendable

ip nat inside source static tcp 192.168.1.13 20 1.2.3.4 20 extendable

I'm using IIS FTP and it runs in default configuration. I haven't specified FTP type to active or passive.

You have mentioned that I should create new ACL shall I do it in following way?

Extended IP access list FTP

    10 permit tcp any host 192.168.1.13 eq ftp

    20 permit tcp any host 192.168.1.13 gt 1024

    30 permit ip any any

I understand that I should enable inbound traffic for above ACL on internet interface?

Best regards and thanku for help,

Lukasz

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card