06-14-2015 10:19 PM - edited 03-08-2019 12:33 AM
Hello,
I have a few computers connected to a 887VAW router which is inturn connected to the Internet via an ISP.
One computer is running an ftp server. I can login to the ftp server from the outside of my network showing
that the port forward is working, however am unable to login from inside my network, i.e. out of my network
and then back in again.
Do I need to add additional, or modify existing code to do this?
Here is my code
Router;
no service pad
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
no service password-encryption
!
hostname my_router_name
!
boot-start-marker
boot-end-marker
!
!
logging buffered 65535
logging console informational
enable password my_password1
!
aaa new-model
!
!
aaa authentication banner ^CUnauthorized Access Prohibited^C
aaa authentication fail-message ^CFailed login. Try again.^C
aaa authentication login default local
aaa authentication enable default enable
aaa authentication ppp default local
aaa authorization exec default local
!
!
!
!
!
aaa session-id common
memory-size iomem 10
clock timezone
clock summer-time
!
!
no ip source-route
ip cef
!
!
!
ip dhcp excluded-address 10.0.0.1 10.0.0.101
ip dhcp excluded-address 10.0.0.114 10.0.0.254
!
ip dhcp pool lan
import all
network 10.0.0.0 255.255.255.0
default-router 10.0.0.101
dns-server ip_dnsserver1 ip_dnsserver2
lease infinite
!
ip dhcp pool my_computer_name1
host 10.0.0.103 255.255.255.0
hardware-address my_mac_address1
!
ip dhcp pool my_computer_name2
host 10.0.0.102 255.255.255.0
hardware-address my_mac_address2
dns-server ip_dnsserver1 ip_dnsserver2
default-router 10.0.0.101
!
ip dhcp pool my_computer_name3
host 10.0.0.104 255.255.255.0
hardware-address my_mac_address3
default-router 10.0.0.101
!
ip dhcp pool my_computer_name4 <-- port forward is to this computer
host 10.0.0.105 255.255.255.0
hardware-address my_mac_address4
!
!
!
no ip bootp server
ip domain name my_domain
ip name-server ip_dnsserver1
ip name-server ip_dnsserver2
ip inspect log drop-pkt
ip inspect max-incomplete high 8000
ip inspect max-incomplete low 7900
ip inspect one-minute low 7900
ip inspect one-minute high 8000
ip inspect udp idle-time 360
ip inspect dns-timeout 10
ip inspect tcp idle-time 7200
ip inspect tcp max-incomplete host 250 block-time 1
ip inspect tcp reassembly queue length 256
ip inspect tcp reassembly timeout 10
ip inspect name FW tcp
ip inspect name FW udp
ip inspect name FW icmp
ip inspect name FW ftp
ip inspect name FW http
ip inspect name FW smtp
ip inspect name FW https
ip inspect name FW login
ip inspect name FW netstat
ip inspect name FW rtelnet
ip inspect name FW shell
ip inspect name FW ssh
ip inspect name FW sshell
ip inspect name FW snmp
ip inspect name FW syslog
ip inspect name FW telnet
ip inspect name FW telnets
ip inspect name FW tftp
no ipv6 cef
!
parameter-map type inspect global
log dropped-packets enable
max-incomplete low 18000
max-incomplete high 20000
spoofed-acker off
!
license udi pid C887VA-W-A-K9 sn my_sn
!
!
archive
log config
hidekeys
username my_username privilege 15 password 0 my_password
!
!
!
!
!
controller VDSL 0
operating mode adsl2+ annex M
!
ip ssh time-out 90
ip ssh authentication-retries 2
!
!
!
!
!
!
!
!
!
interface ATM0
description --- ADSL ---
no ip address
no atm ilmi-keepalive
pvc 8/35
tx-ring-limit 3
encapsulation aal5snap
pppoe-client dial-pool-number 1
!
!
interface Ethernet0
no ip address
shutdown
!
interface Ethernet0.1
encapsulation dot1Q 1 native
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
switchport trunk allowed vlan 1,1002-1005
switchport mode trunk
no ip address
!
interface wlan-ap0
description Embedded Service module interface to manage the embedded AP
ip unnumbered Vlan1
!
interface Vlan1
description --- Ethernet LAN ---
ip address 10.0.0.101 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1420
!
interface Dialer0
description --- ADSL ---
ip address negotiated
ip access-group 100 in
ip mtu 1460
ip nat outside
ip inspect FW out
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1420
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname my_username
ppp chap password 0 my_password
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
no ip nat service sip udp port 5060
ip nat inside source list NAT interface Dialer0 overload
ip nat inside source static tcp 10.0.0.105 20 my_ip_address 20 extendable <-- port forward for ftp
ip nat inside source static tcp 10.0.0.105 21 my_ip_address 21 extendable <-- port forward for ftp
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip access-list extended MANAGEMENT
permit ip 10.0.0.0 0.0.0.255 any
ip access-list extended NAT
permit ip 10.0.0.0 0.0.0.255 any
!
logging host 10.0.0.106
access-list 100 permit tcp any any eq ftp
access-list 100 permit tcp any eq ftp-data any
access-list 100 permit tcp any any eq smtp
no cdp run
!
!
!
!
!
line con 0
no modem enable
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
stopbits 1
line vty 0 4
access-class MANAGEMENT in
transport input all
!
scheduler max-task-time 5000
scheduler allocate 20000 1000
sntp server my_server
!
end
06-25-2015 11:33 AM
Assuming your FTP client is on the same Vlan as the 10.0.0.105 FTP server, the router should not interfere.
What I am unsure of is your:
interface Ethernet0.1
encapsulation dot1Q 1 native
Was it meant for your access point on Wlan-GigabitEthernet0?
Was your Client on the wireless, on another vlan?
vlan switchport trunk allowed vlan 1,1002-1005 makes me assume you wanted to route multiple vlans but you forgot to create a vlan with an IP address for the routing to happen when directly connected (or with routes).
07-01-2015 11:45 PM
Hello,
I deleted Ethernet0.1, that was removed as it was a mistake, as I am only new to IOS.
The vlan switchport trunk was intended to be for my wireless lan, which I wrote from information
found in these forums, which seems to be working. I think vlan defaults to vlan1, does vlan 1, 1002-1005 mean more than one vlan?
07-02-2015 05:33 AM
switchport access vlan 1
switchport mode access
Red means you use the swithport as a port in vlan 1, the pakets will not be tagged, which means the swithcport will not look for 802.1q tags on incomming packets from this port and will not add a 802.1q tag to the packets on the output.
switchport trunk allowed vlan 1, 5-7
switchport mode trunk
Blue means you use the swithport as a trunk allowing all packets from vlan 1, 5, 6 and 7 to pass through. The pakets will be tagged, which means the swithcport will look for 802.1q tags on incomming packets from this port and will add a 802.1q tag to the packets on the output depending on the destinated vlan.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide