cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Community Helping Community

854
Views
0
Helpful
12
Replies
Highlighted
Beginner

Difference between 871W and 851 and FTP

I've acquired an 871W, because I'd like to use wireless, to replace my 851.  I FTPd the 851's configuration to my FTP server and then FTPd this to the 871W.  Save for the fact that this has a radio interface (currently shutdown), everything works save for FTP from the outside.  I can not even telnet to port 21 of any of the internal FT servers.  I can telnet to any other port (ssg, smtp, http, https, etc.) but FTP will not pass.  What's the difference???

Everyone's tags (5)
1 ACCEPTED SOLUTION

Accepted Solutions
Beginner

Re: Difference between 871W and 851 and FTP

Brian,

Great news!  Don't forget to rate the answers you found helpful.

Thanks!

Nick

Nick Bonifacio CCIE #38473

View solution in original post

12 REPLIES 12
Hall of Fame Expert

Difference between 871W and 851 and FTP

Hello Brian,

post your configuration after having changed public IP addresses and removed usernames and passwords for better safe.

The new device has a newer IOS image and some default setting can be changed, it is not possible to say more without looking at the configuration

Hope to help

Giuseppe

Beginner

Re: Difference between 871W and 851 and FTP

Here it is... it's been pared down to the bare essentials.  I've elided any crypto and addresses.

Beginner

Re: Difference between 871W and 851 and FTP

No idea(s)?  It doesn't make any sense that the same config on one rotuer (851) does not allow FTP on the other (871).

Hall of Fame Expert

Difference between 871W and 851 and FTP

Hello Brian,

try the following:

int fas4

no ip inspect MYFW out

This is to understand if the IP inspect affects FTP access (this is likely)

Different IOS version, different behaviour this is one of the rules of the game

Hope to help

Giuseppe

Beginner

Re: Difference between 871W and 851 and FTP

Wilco.  However, it will have to wait until later today when I can swap the 871W back into place.

Beginner

Re: Difference between 871W and 851 and FTP

No success...  In fact, I removed any and all references to IP INSPECT. 

From the Cisco itself:

Cisco871W#telnet 192.168.1.4 21

Trying 192.168.1.4, 21 ... Open

220-This FTP server only accepts ANONYMOUS FTP

220 FTP server ready

QUIT

425 Session is disconnected.

[Connection to 192.168.1.4 closed by foreign host]

Cisco871W#telnet 192.168.1.4 21 /source-interface fa4

Trying 192.168.1.4, 21 ...

% Connection timed out; remote host not responding

This 871W will simply not pass port 21!!!

Beginner

Re: Difference between 871W and 851 and FTP

Somebody here must have or must have had one of these Cisco 871Ws, and must have had need to allow ftp from the outside to the inside.  Please.  This is maddening.  Also, I've discovered, while trying to use 'host -T', that it too is being denied to the inside.  So, it looks like both port 21 (FTP command not sure if FTP-data is also affected since I can't get FTP from the outside in to know) and port 53 TCP are not passing through.

Beginner

Re: Difference between 871W and 851 and FTP

Hi Brian,

Here is what I would do:

Take ip nat enable off of both interfaces and just use "ip nat inside" and "ip nat outside".  I would also use PAT instead of NAT, just to rule things out.

i.e

ip nat source static tcp 21 192.168.1.2 aa.bb.cc.pp 21

ip nat source static tcp 20 192.168.1.2 aa.bb.cc.pp 20  //make sure you have an entry for 21 (ftp) and 20 (ftp-data)

make sure to remove the one to one NAT for 192.168.1.2 as well, just for this test.

I would also make sure I can ping all the way to the router from the FTP server and that no software firewall is on the server.

Thanks!

Nick

      

EDIT: Brian, as a last resort, after configuring the above, put a "deny 192.168.1.2 " as the top/1st entry of access list 1.  I have had to do this in the past in situations like this.  I know it sounds strange, but it has worked for me.

EDIT2: Sorry for constant edits, but can you change accces-list 1to an extended access list? 

ip acces ex NAT_L

deny ip host 192.168.1.2 any

permit ip 192.168.1.0 0.0.0.255 any

Message was edited by: Nick Bonifacio

Nick Bonifacio CCIE #38473
Beginner

Re: Difference between 871W and 851 and FTP

Nick,

I'll give your suggestions a go with the hope that this academic exercise will shed some light.  However, I will need to have FTP open for all of the systems on the inside.

I have a concert gig this evening.  I'll try out your suggestions tomorrow barring any interference from cients.

Beginner

Re: Difference between 871W and 851 and FTP

Nick,

I tested FTP access from an outside host with 'telnet {external-IP} 21' as I began to configure each of the items you mentioned.  The first thing I did was the 'no ip NAT enable' on 'interface FastEthernet4'.  As soon as I removed it, I was able to access FTP port 21!  I stopped and tested a full FTP 'get' from one of the internal FTP servers.  It worked!  I then tested to see if BIND would now respond to TCP requests using a 'host -T ..." command.  It too worked!  I'll have to pull out the Cisco handbook and try to better understand what that 'ip NAT enable' was doing.

Thanks*E+06!!!  It would appear that the great mystery has been solved!  I can now go back to the original configuration of the router now that I know what to dismantle from it.  In addition, I'll now have wireless on this subnet too!

Beginner

Re: Difference between 871W and 851 and FTP

Brian,

Great news!  Don't forget to rate the answers you found helpful.

Thanks!

Nick

Nick Bonifacio CCIE #38473

View solution in original post

Beginner

Re: Difference between 871W and 851 and FTP

Certainly, as soon as I figure out where and how.

CreatePlease to create content
Content for Community-Ad