Here it is... it's been pared down to the bare essentials.  I've elided any crypto and addresses.

No idea(s)?  It doesn't make any sense that the same config on one rotuer (851) does not allow FTP on the other (871).

Hello Brian,

try the following:

int fas4

no ip inspect MYFW out

This is to understand if the IP inspect affects FTP access (this is likely)

Different IOS version, different behaviour this is one of the rules of the game

Hope to help

Giuseppe

Wilco.  However, it will have to wait until later today when I can swap the 871W back into place.

No success...  In fact, I removed any and all references to IP INSPECT. 

From the Cisco itself:

Cisco871W#telnet 192.168.1.4 21

Trying 192.168.1.4, 21 ... Open

220-This FTP server only accepts ANONYMOUS FTP

220 FTP server ready

QUIT

425 Session is disconnected.

[Connection to 192.168.1.4 closed by foreign host]

Cisco871W#telnet 192.168.1.4 21 /source-interface fa4

Trying 192.168.1.4, 21 ...

% Connection timed out; remote host not responding

This 871W will simply not pass port 21!!!

Somebody here must have or must have had one of these Cisco 871Ws, and must have had need to allow ftp from the outside to the inside.  Please.  This is maddening.  Also, I've discovered, while trying to use 'host -T', that it too is being denied to the inside.  So, it looks like both port 21 (FTP command not sure if FTP-data is also affected since I can't get FTP from the outside in to know) and port 53 TCP are not passing through.

Hi Brian,

Here is what I would do:

Take ip nat enable off of both interfaces and just use "ip nat inside" and "ip nat outside".  I would also use PAT instead of NAT, just to rule things out.

i.e

ip nat source static tcp 21 192.168.1.2 aa.bb.cc.pp 21

ip nat source static tcp 20 192.168.1.2 aa.bb.cc.pp 20  //make sure you have an entry for 21 (ftp) and 20 (ftp-data)

make sure to remove the one to one NAT for 192.168.1.2 as well, just for this test.

I would also make sure I can ping all the way to the router from the FTP server and that no software firewall is on the server.

Thanks!

Nick

EDIT: Brian, as a last resort, after configuring the above, put a "deny 192.168.1.2 " as the top/1st entry of access list 1.  I have had to do this in the past in situations like this.  I know it sounds strange, but it has worked for me.

EDIT2: Sorry for constant edits, but can you change accces-list 1to an extended access list? 

ip acces ex NAT_L

deny ip host 192.168.1.2 any

permit ip 192.168.1.0 0.0.0.255 any

Message was edited by: Nick Bonifacio

Nick,

I'll give your suggestions a go with the hope that this academic exercise will shed some light.  However, I will need to have FTP open for all of the systems on the inside.

I have a concert gig this evening.  I'll try out your suggestions tomorrow barring any interference from cients.

Nick,

I tested FTP access from an outside host with 'telnet {external-IP} 21' as I began to configure each of the items you mentioned.  The first thing I did was the 'no ip NAT enable' on 'interface FastEthernet4'.  As soon as I removed it, I was able to access FTP port 21!  I stopped and tested a full FTP 'get' from one of the internal FTP servers.  It worked!  I then tested to see if BIND would now respond to TCP requests using a 'host -T ..." command.  It too worked!  I'll have to pull out the Cisco handbook and try to better understand what that 'ip NAT enable' was doing.

Thanks*E+06!!!  It would appear that the great mystery has been solved!  I can now go back to the original configuration of the router now that I know what to dismantle from it.  In addition, I'll now have wireless on this subnet too!

Certainly, as soon as I figure out where and how.