Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
420
Views
0
Helpful
3
Replies

887VAW ftp server access

digbym650
Level 1
Level 1

‎06-14-2015 10:19 PM - edited ‎03-08-2019 12:33 AM

Hello,

 I have a few computers connected to a 887VAW router which is inturn connected to the Internet via an ISP.

One computer is running an ftp server. I can login to the ftp server from the outside of my network showing

that the port forward is working, however am unable to login from inside my network, i.e. out of my network

and then back in again.

Do I need to add additional, or modify existing code to do this?

Here is my code

 

Router;

no service pad
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
no service password-encryption
!
hostname my_router_name
!
boot-start-marker
boot-end-marker
!
!
logging buffered 65535
logging console informational
enable password my_password1
!
aaa new-model
!
!
aaa authentication banner ^CUnauthorized Access Prohibited^C
aaa authentication fail-message ^CFailed login. Try again.^C
aaa authentication login default local
aaa authentication enable default enable
aaa authentication ppp default local
aaa authorization exec default local
!
!
!
!
!
aaa session-id common
memory-size iomem 10
clock timezone
clock summer-time
!
!
no ip source-route
ip cef
!
!
!
ip dhcp excluded-address 10.0.0.1 10.0.0.101
ip dhcp excluded-address 10.0.0.114 10.0.0.254
!
ip dhcp pool lan
 import all
 network 10.0.0.0 255.255.255.0
 default-router 10.0.0.101
 dns-server ip_dnsserver1 ip_dnsserver2
 lease infinite
!
ip dhcp pool my_computer_name1
 host 10.0.0.103 255.255.255.0
 hardware-address my_mac_address1
!
ip dhcp pool my_computer_name2                      
 host 10.0.0.102 255.255.255.0
 hardware-address my_mac_address2
 dns-server ip_dnsserver1 ip_dnsserver2
 default-router 10.0.0.101
!
ip dhcp pool my_computer_name3                        
 host 10.0.0.104 255.255.255.0
 hardware-address my_mac_address3
 default-router 10.0.0.101
!
ip dhcp pool my_computer_name4                       <-- port forward is to this computer
 host 10.0.0.105 255.255.255.0
 hardware-address my_mac_address4
!

!
!
no ip bootp server
ip domain name my_domain
ip name-server ip_dnsserver1
ip name-server ip_dnsserver2
ip inspect log drop-pkt
ip inspect max-incomplete high 8000
ip inspect max-incomplete low 7900
ip inspect one-minute low 7900
ip inspect one-minute high 8000
ip inspect udp idle-time 360
ip inspect dns-timeout 10
ip inspect tcp idle-time 7200
ip inspect tcp max-incomplete host 250 block-time 1
ip inspect tcp reassembly queue length 256
ip inspect tcp reassembly timeout 10
ip inspect name FW tcp
ip inspect name FW udp
ip inspect name FW icmp
ip inspect name FW ftp
ip inspect name FW http
ip inspect name FW smtp
ip inspect name FW https
ip inspect name FW login
ip inspect name FW netstat
ip inspect name FW rtelnet
ip inspect name FW shell
ip inspect name FW ssh
ip inspect name FW sshell
ip inspect name FW snmp
ip inspect name FW syslog
ip inspect name FW telnet
ip inspect name FW telnets
ip inspect name FW tftp
no ipv6 cef
!
parameter-map type inspect global
 log dropped-packets enable
 max-incomplete low 18000
 max-incomplete high 20000
 spoofed-acker off
!
license udi pid C887VA-W-A-K9 sn my_sn
!
!
archive
 log config
  hidekeys
username my_username privilege 15 password 0 my_password
!
!
!
!
!
controller VDSL 0
 operating mode adsl2+ annex M
!
ip ssh time-out 90
ip ssh authentication-retries 2
!
!
!
!
!
!
!
!
!
interface ATM0
 description --- ADSL ---
 no ip address
 no atm ilmi-keepalive
 pvc 8/35
  tx-ring-limit 3
  encapsulation aal5snap
  pppoe-client dial-pool-number 1
 !
!
interface Ethernet0
 no ip address
 shutdown
!
interface Ethernet0.1
 encapsulation dot1Q 1 native
!
interface FastEthernet0
 no ip address
!
interface FastEthernet1
 no ip address
!
interface FastEthernet2
 no ip address
!
interface FastEthernet3
 no ip address
!
interface Wlan-GigabitEthernet0
 description Internal switch interface connecting to the embedded AP
 switchport trunk allowed vlan 1,1002-1005
 switchport mode trunk
 no ip address
!
interface wlan-ap0
 description Embedded Service module interface to manage the embedded AP
 ip unnumbered Vlan1
!
interface Vlan1
 description --- Ethernet LAN ---
 ip address 10.0.0.101 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 ip tcp adjust-mss 1420
!
interface Dialer0
 description --- ADSL ---
 ip address negotiated
 ip access-group 100 in
 ip mtu 1460
 ip nat outside
 ip inspect FW out
 ip virtual-reassembly in
 encapsulation ppp
 ip tcp adjust-mss 1420
 dialer pool 1
 dialer-group 1
 ppp authentication chap callin
 ppp chap hostname my_username
 ppp chap password 0 my_password
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
no ip nat service sip udp port 5060
ip nat inside source list NAT interface Dialer0 overload
ip nat inside source static tcp 10.0.0.105 20 my_ip_address 20 extendable   <-- port forward for ftp
ip nat inside source static tcp 10.0.0.105 21 my_ip_address 21 extendable   <-- port forward for ftp

ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip access-list extended MANAGEMENT
 permit ip 10.0.0.0 0.0.0.255 any
ip access-list extended NAT
 permit ip 10.0.0.0 0.0.0.255 any
!
logging host 10.0.0.106
access-list 100 permit tcp any any eq ftp
access-list 100 permit tcp any eq ftp-data any
access-list 100 permit tcp any any eq smtp
no cdp run
!
!
!
!
!
line con 0
 no modem enable
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport input all
 stopbits 1
line vty 0 4
 access-class MANAGEMENT in
 transport input all
!
scheduler max-task-time 5000
scheduler allocate 20000 1000
sntp server my_server
!
end

Labels:
0 Helpful
3 Replies 3

Shawn Guertin
Level 1
Level 1

‎06-25-2015 11:33 AM

Assuming your FTP client is on the same Vlan as the 10.0.0.105 FTP server, the router should not interfere.

What I am unsure of is your:

interface Ethernet0.1
 encapsulation dot1Q 1 native

Was it meant for your access point on Wlan-GigabitEthernet0?

Was your Client on the wireless, on another vlan?

vlan switchport trunk allowed vlan 1,1002-1005 makes me assume you wanted to route multiple vlans but you forgot to create a vlan with an IP address for the routing to happen when directly connected (or with routes).

 
0 Helpful

digbym650
Level 1
Level 1
In response to Shawn Guertin

‎07-01-2015 11:45 PM

Hello,

 I deleted Ethernet0.1, that was removed as it was a mistake, as I am only new to IOS.

The vlan switchport trunk was intended to be for my wireless lan, which I wrote from information

found in these forums, which seems to be working. I think vlan defaults to vlan1, does vlan 1, 1002-1005 mean more than one vlan?

0 Helpful

Shawn Guertin
Level 1
Level 1
In response to digbym650

‎07-02-2015 05:33 AM

switchport access vlan 1

switchport mode access

Red means you use the swithport as a port in vlan 1, the pakets will not be tagged, which means the swithcport will not look for 802.1q tags on incomming packets from this port and will not add a 802.1q tag to the packets on the output.

 

switchport trunk allowed vlan 1, 5-7

switchport mode trunk

Blue means you use the swithport as a trunk allowing all packets from vlan 1, 5, 6 and 7 to pass through. The pakets will be tagged, which means the swithcport will look for 802.1q tags on incomming packets from this port and will add a 802.1q tag to the packets on the output depending on the destinated vlan.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card