Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1776
Views
6
Helpful
13
Replies

Access FTP server behind ISR

Go to solution
Yadhu Tony
Level 1
Level 1

‎11-20-2012 07:31 AM - edited ‎03-07-2019 10:09 AM

Hello,

I setup an FTP server in Windows server 2008 and need to access it from the Internet. I tried to put the below configuration on my router but it is not working.

1. ip nat inside source static tcp 172.17.0.41 64321   x.x.x.x(public IP) 64321 extendable

2. ip access-list extended FTP-ACCESS

     permit tcp any host x.x.x.x(public IP) eq 64321

3. class-map type inspect match-any FTP-CLASSMAP

      match access-group name FTP-ACCESS

      match protocol ftp

4. policy-map type inspect OUTSIDE-TO-INSIDE-POLICY
      class type inspect FTP-CLASSMAP

      pass log

Is it a correct approach ? If not please help me to do the configuration.

Regards,

Tony

Regards,
Tony

http://yadhutony.blogspot.com
Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Abzal
Level 7
Level 7
In response to Yadhu Tony

‎11-20-2012 08:58 AM

Your configuration looks ok. Default route on router is pointed to ISPs router, right? Check NAT table with this:

sh ip nat trans

I hope there is no ACL on interface G0/1? When you check connection to FTP server from outside you're using 64321 port?

Abzal

Best regards,
Abzal

View solution in original post

0 Helpful

Go to solution
cadet alain
VIP Alumni
VIP Alumni
In response to Yadhu Tony

‎11-20-2012 09:52 AM

Hi,

your ACL should mention the private IP not the public one.

you should change your policy-map to inspect traffic instead of pass for this class-map.

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

View solution in original post

0 Helpful
13 Replies 13

Go to solution
cadet alain
VIP Alumni
VIP Alumni

‎11-20-2012 07:43 AM

Hi,

you changed ftp port from tcp 21 to tcp 64321 ?

second, if you have a pass from out to in you should have a pass from in to out also, easisest way is to have an inspect from out to in instead of pass.

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

Go to solution
Yadhu Tony
Level 1
Level 1
In response to cadet alain

‎11-20-2012 08:12 AM

Hello Alain,

Yes I changed the port to 64321. So you mean to say I need to put an Inspection rule from Inside to Outside ? Is the NAT statement correct ? Can I use the same class map for that ?

      

Regards,

Tony

Regards,
Tony

http://yadhutony.blogspot.com
0 Helpful

Go to solution
Abzal
Level 7
Level 7

‎11-20-2012 07:44 AM

Hi Tony,

What model of ISR router are you running? Is port 64321 configured on FTP server? Is default route to Internet configured?

NAT translation? Show your configuration of router.

Abzal

Best regards,
Abzal
0 Helpful

Go to solution
Yadhu Tony
Level 1
Level 1
In response to Abzal

‎11-20-2012 08:25 AM

Hello Abzal,

It is a 1900 Series ISR. Yeah I configured port 64321 on FTP Server. Default route is already configured on the router.

Please see the NAT which is already present on the router

"ip nat inside source list 120 interface GigabitEthernet0/1 overload"

Where Gi0/1 is the Internet facing interface.

ACL 120 is

access-list 120 deny   ip 172.17.0.0 0.0.255.255 192.0.0.0 0.255.255.255

access-list 120 permit ip 172.17.0.0 0.0.255.255 any

Where 172.17.x.x is our internal IP subnet and 192.x.x.x is being used by the VPN clients.

Regards,

Tony

Regards,
Tony

http://yadhutony.blogspot.com
0 Helpful

Go to solution
Abzal
Level 7
Level 7
In response to Yadhu Tony

‎11-20-2012 08:58 AM

Your configuration looks ok. Default route on router is pointed to ISPs router, right? Check NAT table with this:

sh ip nat trans

I hope there is no ACL on interface G0/1? When you check connection to FTP server from outside you're using 64321 port?

Abzal

Best regards,
Abzal
0 Helpful

Go to solution
Yadhu Tony
Level 1
Level 1
In response to Abzal

‎11-20-2012 09:17 AM

Hello Abzal,

Yes the default route is configured correctly. No ACL is on the interface gi0/1. The router is configured with a zbfw and Gi0/1 is on the outside zone. I tried to connect using the port 64321. But still it is not working. And on 'show ip nat translation' output I can see that " Outside local  & Outside global" is blank for the NAT I put for my FTP server.

Regards,

Tony

Regards,
Tony

http://yadhutony.blogspot.com
0 Helpful

Go to solution
Abzal
Level 7
Level 7
In response to Yadhu Tony

‎11-20-2012 09:40 AM

Try to check Internet connection from FTP server.

1. Do you have route to subnet where FTP resides?

2. Is default fateway correctly configured on FTP server?

3. Can you ping FTP server from the router?

4. Then check your firewall on FTP server perhaps it's blocking connection?

5. Is there any firewall or router between FTP server and this router?

Abzal

Best regards,
Abzal
0 Helpful

Go to solution
Yadhu Tony
Level 1
Level 1
In response to Abzal

‎11-20-2012 09:54 AM

Hello Abzal,

FTP server do have the full internet access. Its gateway is the router which I mentioned. I checked all the connectivity and seems everything is working fine. I disabled the firewall on the FTP server and checked, but still no use.   Also there is no other firewall or router is in between the FTP server & router. What I wanted to know is wheather my zone based firewall is blocking the connection or not? Could you please check the class maps which I mentioned earlier.

Regards,

Tony

.

Regards,
Tony

http://yadhutony.blogspot.com
0 Helpful

Go to solution
Abzal
Level 7
Level 7
In response to Yadhu Tony

‎11-20-2012 10:28 AM

Hi,

I see now. Everything looks ok. Then just try as Alain said, fix this:

policy-map type inspect OUTSIDE-TO-INSIDE-POLICY

   class type inspect FTP-CLASSMAP

   pass log

to be like this

policy-map type inspect OUTSIDE-TO-INSIDE-POLICY

   class type inspect FTP-CLASSMAP

   inspect

Hope it will help.

Best regards,
Abzal

Go to solution
Yadhu Tony
Level 1
Level 1
In response to Abzal

‎11-20-2012 09:28 PM

Hello Abzal,

Thank you so much for all your help. It finally worked out as soon as I change my configuartion.

Regards,

Tony

http://yadhutony.blogspot.com

Regards,
Tony

http://yadhutony.blogspot.com
0 Helpful

Go to solution
cadet alain
VIP Alumni
VIP Alumni
In response to Yadhu Tony

‎11-20-2012 09:52 AM

Hi,

your ACL should mention the private IP not the public one.

you should change your policy-map to inspect traffic instead of pass for this class-map.

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
0 Helpful

Go to solution
Yadhu Tony
Level 1
Level 1
In response to cadet alain

‎11-20-2012 09:58 AM

Hello Alain,

Thank you for the reply. I will change the configuration and let you know the outcome.

Regards,

Tony

Regards,
Tony

http://yadhutony.blogspot.com
0 Helpful

Go to solution
Yadhu Tony
Level 1
Level 1
In response to cadet alain

‎11-20-2012 09:24 PM

Hello Alain,

Thank you for your help. It is working now

Regards,

Tony

http://yadhutony.blogspot.com

Regards,
Tony

http://yadhutony.blogspot.com
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card