looking at the 1841 config, I

Joshua Schaeffer · ‎01-02-2015

I have a Cisco 1941 ISR and a SG300-20 switch in my home lab with several VLAN's. I have a web server and an FTP server that normally can be accessed from the outside world, however, currently, my FTP server cannot get past my router. My network layout is below:

The FTP server is in VLAN 10, as well a my web server. My web server can get to the outside world and as far as I can tell they are setup pretty much the same. I'm not sure how to trouble shoot this and looking for some tips or suggestions. I can access the FTP server internally. The FTP server can ping the switch (10.1.8.1) and can ping the router's LAN link (10.1.8.2) and WAN link (75.148.101.25) but cannot ping anything past this (75.148.101.30) My running configs are below:

The IP addresses for the FTP server are:

Internal: 10.1.12.17

External: 75.148.101.27

CISCO 1941 ISR

==========================================================================

raynor#show running-config
Building configuration...

Current configuration : 2504 bytes
!
! Last configuration change at 22:36:23 UTC Sun Dec 21 2014 by jschaeffer
! NVRAM config last updated at 19:41:59 UTC Sat Dec 13 2014
!
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname raynor
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 ##############################
!
no aaa new-model
!
no ipv6 cef
ip source-route
ip cef
!
!
!
!
!
ip domain name harmonywave.com
ip name-server 75.75.75.75
ip name-server 75.75.75.76
multilink bundle-name authenticated
!
crypto pki token default removal timeout 0
!
!
license udi pid CISCO1941/K9 sn FGL172610ZP
!
!
username jschaeffer secret 5 ##############################
username ckrupa one-time secret 5 ##############################
!
!
ip ssh version 2
!
!
!
!
interface GigabitEthernet0/0
description WAN link
ip address 75.148.101.25 255.255.255.248
ip nat outside
ip virtual-reassembly in
no ip route-cache cef
no ip route-cache
duplex auto
speed auto
no cdp enable
!
interface GigabitEthernet0/1
description LAN link
ip address 10.1.8.2 255.255.255.0
ip nat inside
ip virtual-reassembly in
no ip route-cache cef
no ip route-cache
duplex auto
speed auto
no cdp enable
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat pool ovrld 75.148.101.25 75.148.101.25 prefix-length 24
ip nat pool web 75.148.101.26 75.148.101.26 prefix-length 24
ip nat pool ftp 75.148.101.27 75.148.101.27 prefix-length 24
ip nat inside source list 7 pool ovrld overload
ip nat inside source list 8 pool web
ip nat inside source list 9 pool ftp
ip nat inside source static 10.1.12.9 75.148.101.26
ip nat inside source static 10.1.12.17 75.148.101.27
ip route 0.0.0.0 0.0.0.0 75.148.101.30
ip route 10.1.10.0 255.255.255.224 10.1.8.1
ip route 10.1.10.32 255.255.255.224 10.1.8.1
ip route 10.1.10.64 255.255.255.192 10.1.8.1
ip route 10.1.11.0 255.255.255.0 10.1.8.1
ip route 10.1.12.0 255.255.255.0 10.1.8.1
ip route 10.1.15.0 255.255.255.0 10.1.8.1
!
access-list 7 permit 10.1.10.32 0.0.0.31
access-list 7 permit 10.1.10.0 0.0.0.31
access-list 7 permit 10.1.11.0 0.0.0.255
access-list 7 permit 10.1.12.0 0.0.0.255
access-list 7 permit 10.1.15.0 0.0.0.255
access-list 7 permit 10.1.10.64 0.0.0.63
!
no cdp run

!
!
control-plane
!
!
line con 0
logging synchronous
line aux 0
line vty 0 4
password 567482
login local
transport input ssh
line vty 5 15
password 567482
login local
transport input ssh
!
scheduler allocate 20000 1000
end

==========================================================================

Cisco SG300-20

==========================================================================

adjutant#show running-config
config-file-header
adjutant
v1.2.7.76 / R750_NIK_1_2_584_002
CLI v1.0
file SSD indicator encrypted
@
ssd-control-start
ssd config
ssd file passphrase control unrestricted
no ssd file integrity control
ssd-control-end cb0a3fdb1f3a1af4e4430033719968c0
!
vlan database
default-vlan vlan 100
exit
vlan database
vlan 1,10,20,30-32,90
exit
voice vlan oui-table add 0001e3 Siemens_AG_phone________
voice vlan oui-table add 00036b Cisco_phone_____________
voice vlan oui-table add 00096e Avaya___________________
voice vlan oui-table add 000fe2 H3C_Aolynk______________
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone___________
voice vlan oui-table add 00e075 Polycom/Veritel_phone___
voice vlan oui-table add 00e0bb 3Com_phone______________
bonjour interface range vlan 1
hostname adjutant
passwords complexity min-classes 4
passwords aging 90
username cisco password encrypted ############################## privilege 15
ip ssh server
snmp-server location "Server Room"
snmp-server contact "Joshua Schaeffer"
!
interface vlan 1
no ip address dhcp
!
interface vlan 10
name Public
ip address 10.1.12.1 255.255.255.128
!
interface vlan 20
name Secure
ip address 10.1.11.1 255.255.255.0
!
interface vlan 30
name Internal
ip address 10.1.10.1 255.255.255.224
!
interface vlan 31
name "Internal server"
ip address 10.1.10.33 255.255.255.224
!
interface vlan 32
name "Internal client"
ip address 10.1.10.65 255.255.255.192
!
interface vlan 90
name Printers/Wireless
ip address 10.1.15.1 255.255.255.0
!
interface vlan 100
name Management
ip address 10.1.8.1 255.255.255.0
!
interface gigabitethernet2
switchport mode access
switchport access vlan 90
!
interface gigabitethernet3
switchport mode access
switchport access vlan 90
!
interface gigabitethernet4
switchport mode access
switchport access vlan 90
!
interface gigabitethernet5
switchport mode access
switchport access vlan 10
!
interface gigabitethernet6
switchport mode access
switchport access vlan 20
!
interface gigabitethernet7
switchport mode access
switchport access vlan 20
!
interface gigabitethernet8
switchport trunk allowed vlan add 10,20,30-31
!
interface gigabitethernet9
switchport trunk native vlan 30
!
interface gigabitethernet10
switchport mode access
switchport access vlan 31
!
interface gigabitethernet11
switchport mode access
switchport access vlan 31
!
interface gigabitethernet12
switchport mode access
switchport access vlan 31
!
interface gigabitethernet13
switchport mode access
switchport access vlan 31
!
interface gigabitethernet14
switchport mode access
switchport access vlan 31
!
interface gigabitethernet15
switchport mode access
switchport access vlan 32
!
interface gigabitethernet16
switchport mode access
switchport access vlan 32
!
interface gigabitethernet17
switchport mode access
switchport access vlan 32
!
interface gigabitethernet18
switchport mode access
switchport access vlan 32
!
interface gigabitethernet19
switchport mode access
!
interface gigabitethernet20
switchport mode access
!
ip route 0.0.0.0 0.0.0.0 10.1.8.2

==========================================================================

Reza Sharifi · ‎01-02-2015

looking at the 1841 config, I see the NAT statements with access list 8 and 9 referenced but not access-list 8 and 9.

Can you verify?

ip nat inside source list 8 pool web
ip nat inside source list 9 pool ftp

HTH

Joshua Schaeffer · ‎01-05-2015

Sorry for the delayed response. Yes, there are no access-lists for 8 or 9. I noticed this before, but my web server (ip nat inside source list 8 pool web) does not have an access-list and I can communicate with it from the outside world without a problem. Should I add an access list for 8 and 9 similar to 7?

Reza Sharifi · ‎01-05-2015

Yes, add the access list and than test the FTP server connectivity again.

HTH

FTP server can't get past gateway