10-11-2012 10:15 AM - edited 03-07-2019 09:24 AM
I've acquired an 871W, because I'd like to use wireless, to replace my 851. I FTPd the 851's configuration to my FTP server and then FTPd this to the 871W. Save for the fact that this has a radio interface (currently shutdown), everything works save for FTP from the outside. I can not even telnet to port 21 of any of the internal FT servers. I can telnet to any other port (ssg, smtp, http, https, etc.) but FTP will not pass. What's the difference???
Solved! Go to Solution.
10-15-2012 04:29 AM
Brian,
Great news! Don't forget to rate the answers you found helpful.
Thanks!
Nick
10-11-2012 10:35 AM
Hello Brian,
post your configuration after having changed public IP addresses and removed usernames and passwords for better safe.
The new device has a newer IOS image and some default setting can be changed, it is not possible to say more without looking at the configuration
Hope to help
Giuseppe
10-11-2012 10:50 AM
10-12-2012 07:32 AM
No idea(s)? It doesn't make any sense that the same config on one rotuer (851) does not allow FTP on the other (871).
10-12-2012 08:41 AM
Hello Brian,
try the following:
int fas4
no ip inspect MYFW out
This is to understand if the IP inspect affects FTP access (this is likely)
Different IOS version, different behaviour this is one of the rules of the game
Hope to help
Giuseppe
10-12-2012 10:37 AM
Wilco. However, it will have to wait until later today when I can swap the 871W back into place.
10-13-2012 08:06 AM
No success... In fact, I removed any and all references to IP INSPECT.
From the Cisco itself:
Cisco871W#telnet 192.168.1.4 21
Trying 192.168.1.4, 21 ... Open
220-This FTP server only accepts ANONYMOUS FTP
220 FTP server ready
QUIT
425 Session is disconnected.
[Connection to 192.168.1.4 closed by foreign host]
Cisco871W#telnet 192.168.1.4 21 /source-interface fa4
Trying 192.168.1.4, 21 ...
% Connection timed out; remote host not responding
This 871W will simply not pass port 21!!!
10-14-2012 07:12 AM
Somebody here must have or must have had one of these Cisco 871Ws, and must have had need to allow ftp from the outside to the inside. Please. This is maddening. Also, I've discovered, while trying to use 'host -T', that it too is being denied to the inside. So, it looks like both port 21 (FTP command not sure if FTP-data is also affected since I can't get FTP from the outside in to know) and port 53 TCP are not passing through.
10-14-2012 08:49 AM
Hi Brian,
Here is what I would do:
Take ip nat enable off of both interfaces and just use "ip nat inside" and "ip nat outside". I would also use PAT instead of NAT, just to rule things out.
i.e
ip nat source static tcp 21 192.168.1.2 aa.bb.cc.pp 21
ip nat source static tcp 20 192.168.1.2 aa.bb.cc.pp 20 //make sure you have an entry for 21 (ftp) and 20 (ftp-data)
make sure to remove the one to one NAT for 192.168.1.2 as well, just for this test.
I would also make sure I can ping all the way to the router from the FTP server and that no software firewall is on the server.
Thanks!
Nick
EDIT: Brian, as a last resort, after configuring the above, put a "deny 192.168.1.2 " as the top/1st entry of access list 1. I have had to do this in the past in situations like this. I know it sounds strange, but it has worked for me.
EDIT2: Sorry for constant edits, but can you change accces-list 1to an extended access list?
ip acces ex NAT_L
deny ip host 192.168.1.2 any
permit ip 192.168.1.0 0.0.0.255 any
Message was edited by: Nick Bonifacio
10-14-2012 01:53 PM
Nick,
I'll give your suggestions a go with the hope that this academic exercise will shed some light. However, I will need to have FTP open for all of the systems on the inside.
I have a concert gig this evening. I'll try out your suggestions tomorrow barring any interference from cients.
10-15-2012 04:24 AM
Nick,
I tested FTP access from an outside host with 'telnet {external-IP} 21' as I began to configure each of the items you mentioned. The first thing I did was the 'no ip NAT enable' on 'interface FastEthernet4'. As soon as I removed it, I was able to access FTP port 21! I stopped and tested a full FTP 'get' from one of the internal FTP servers. It worked! I then tested to see if BIND would now respond to TCP requests using a 'host -T ..." command. It too worked! I'll have to pull out the Cisco handbook and try to better understand what that 'ip NAT enable' was doing.
Thanks*E+06!!! It would appear that the great mystery has been solved! I can now go back to the original configuration of the router now that I know what to dismantle from it. In addition, I'll now have wireless on this subnet too!
10-15-2012 04:29 AM
Brian,
Great news! Don't forget to rate the answers you found helpful.
Thanks!
Nick
10-15-2012 04:58 AM
Certainly, as soon as I figure out where and how.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide