I'm banging my head on this issue. I have two public IP addresses, one I use for web traffic and another for ftp and sftp traffic. I'm able to get to my web server from outside my network without any issues. I can ping the server and port 80 and 443 are accessible. However, I can't get to my ftp server at all on any port, no ping response, and traceroute fails. I'm thinking the problem is on my ISP's end, but I don't know for sure. Here is all the configuration I have done:
router#show running-config
...
interface GigabitEthernet0/0
description WAN link
ip address 75.148.101.25 255.255.255.248
ip access-group 100 in
ip nat outside
ip virtual-reassembly in
no ip route-cache cef
no ip route-cache
duplex auto
speed auto
ipv6 address 2601:681:500:7900::2/64
ipv6 enable
ipv6 nd prefix 2601:681:500:7900::/64 no-advertise
ipv6 nd managed-config-flag
ipv6 nd other-config-flag
ipv6 verify unicast source reachable-via any
no cdp enable
service-policy output WAN-EDGE-8-CLASS
!
interface GigabitEthernet0/1
description LAN link
ip address 10.1.100.2 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
ipv6 address 2620:5:E000:1064::2/64
ipv6 enable
ipv6 nd prefix 2620:5:E000:1064::/64 no-advertise
ipv6 nd managed-config-flag
ipv6 nd other-config-flag
ipv6 rip RIPng1 enable
ipv6 verify unicast source reachable-via any
no cdp enable
...
ip nat pool web 75.148.101.26 75.148.101.26 prefix-length 24
ip nat pool ftp 75.148.101.27 75.148.101.27 prefix-length 24
ip nat inside source list 8 pool web
ip nat inside source list 9 pool ftp
ip nat inside source static 10.1.10.2 75.148.101.26
ip nat inside source static 10.1.10.66 75.148.101.27
...
access-list 8 permit 10.1.10.2
access-list 9 permit 10.1.10.66
When I am outside my network I can ping my web server, but not my ftp server:
PS C:\Users\jschaeffer> ping 75.148.101.26
Pinging 75.148.101.26 with 32 bytes of data:
Reply from 75.148.101.26: bytes=32 time=61ms TTL=49
Reply from 75.148.101.26: bytes=32 time=64ms TTL=49
Reply from 75.148.101.26: bytes=32 time=62ms TTL=49
Reply from 75.148.101.26: bytes=32 time=62ms TTL=49
Ping statistics for 75.148.101.26:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 61ms, Maximum = 64ms, Average = 62ms
PS C:\Users\jschaeffer> ping 75.148.101.27
Pinging 75.148.101.27 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 75.148.101.27:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
Same with a traceroute:
PS C:\Users\jschaeffer> tracert 75.148.101.26
Tracing route to 75-148-101-26-Utah.hfc.comcastbusiness.net [75.148.101.26]
over a maximum of 30 hops:
1 2 ms 1 ms 1 ms hsrp-cn120.lehi.micron.com [10.192.120.1]
2 46 ms 2 ms 45 ms b11mr0-cr1-core-b11mr0-cs1-cn.lehi.micron.com [10.192.1.121]
3 5 ms 1 ms 1 ms b10wmr0-cs1-int-b11mr0-cs1-core.lehi.micron.com [10.192.1.214]
4 3 ms 1 ms 1 ms 70.103.123.4
5 4 ms 3 ms 4 ms t3-2-2-2--0.gw02.slkc.eli.net [209.210.44.57]
6 23 ms 22 ms 24 ms be11.sc01.slkcutxd.integra.net [209.63.98.49]
7 29 ms 29 ms 22 ms be4.sc01.sntdcabl.integra.net [209.63.82.166]
8 25 ms 23 ms 23 ms be1.br02.snjucacl.integra.net [209.63.100.126]
9 22 ms 23 ms 22 ms be-133-pe03.11greatoaks.ca.ibone.comcast.net [173.167.56.197]
10 24 ms 23 ms 22 ms hu-0-3-0-1-cr01.9greatoaks.ca.ibone.comcast.net [68.86.85.233]
11 * * * Request timed out.
12 38 ms 38 ms 38 ms be-7922-ar01.sandy.ut.utah.comcast.net [68.86.90.146]
13 39 ms 38 ms 39 ms be-1-sur02.orem.ut.utah.comcast.net [162.151.49.202]
14 53 ms 53 ms 53 ms te-7-1-acr06.orem.ut.utah.comcast.net [162.151.39.86]
15 60 ms 61 ms 61 ms c-24-10-211-128.hsd1.ut.comcast.net [24.10.211.128]
16 48 ms 48 ms 47 ms 75-148-101-25-Utah.hfc.comcastbusiness.net [75.148.101.25] <--- My WAN link
17 64 ms 65 ms 64 ms 75-148-101-26-Utah.hfc.comcastbusiness.net [75.148.101.26]
18 62 ms 62 ms 62 ms 75-148-101-26-Utah.hfc.comcastbusiness.net [75.148.101.26]
Trace complete.
PS C:\Users\jschaeffer> tracert 75.148.101.27
Tracing route to 75-148-101-27-Utah.hfc.comcastbusiness.net [75.148.101.27]
over a maximum of 30 hops:
1 2 ms 1 ms 1 ms hsrp-cn120.lehi.micron.com [10.192.120.1]
2 <1 ms <1 ms <1 ms b11mr0-cr1-core-b11mr0-cs1-cn.lehi.micron.com [10.192.1.121]
3 2 ms <1 ms 1 ms b10wmr0-cs1-int-b11mr0-cs1-core.lehi.micron.com [10.192.1.214]
4 1 ms 1 ms 1 ms 70.103.123.4
5 4 ms 3 ms 3 ms t3-2-2-2--0.gw02.slkc.eli.net [209.210.44.57]
6 25 ms 22 ms 29 ms be11.sc01.slkcutxd.integra.net [209.63.98.49]
7 26 ms 22 ms 23 ms be4.sc01.sntdcabl.integra.net [209.63.82.166]
8 23 ms 22 ms 22 ms be1.br02.snjucacl.integra.net [209.63.100.126]
9 22 ms 23 ms 22 ms be-133-pe03.11greatoaks.ca.ibone.comcast.net [173.167.56.197]
10 23 ms 23 ms 24 ms hu-0-4-0-0-cr01.9greatoaks.ca.ibone.comcast.net [68.86.86.209]
11 * * * Request timed out.
12 38 ms 38 ms 40 ms be-7922-ar01.sandy.ut.utah.comcast.net [68.86.90.146]
13 39 ms 38 ms 39 ms be-1-sur02.orem.ut.utah.comcast.net [162.151.49.202]
14 53 ms 53 ms 52 ms te-7-1-acr06.orem.ut.utah.comcast.net [162.151.39.86]
15 60 ms 61 ms 63 ms c-24-10-211-128.hsd1.ut.comcast.net [24.10.211.128]
16 * * * Request timed out.
17 * * * Request timed out.
18 * * * Request timed out.
19 * * * Request timed out.
20 * * * Request timed out.
21 * * * Request timed out.
22 * * * Request timed out.
23 * * * Request timed out.
24 * * * Request timed out.
25 * * * Request timed out.
26 * * * Request timed out.
27 * * * Request timed out.
28 * * * Request timed out.
29 * * * Request timed out.
30 * * * Request timed out.
You can see that the traceroute fails at the 24.10.211.128 address, which is not in my network. I've called and talked to my ISP about this, but they say everything is setup correctly on their end. I've also setup a packet capture on my router to see if the packets were even getting there in the first place and I'm not seeing anything. I just followed this documentation.
router#monitor capture buffer BUF size 10240 max-size 9500
router#monitor capture buffer BUF filter access-list BUF-FILTER
router#monitor capture point ip cef POINT all both
The first test I did was with my web server to make sure I setup the capture properly.
router(config)#ip access-list extended BUF-FILTER
router(config-ext-nacl)permit ip host 70.103.123.8 host 75.148.101.26
router(config-ext-nacl)permit ip host 75.148.101.26 host 70.103.123.8
I then started the capture point, ran a ping and traceroute, and then stopped the capture point. I can see several ICMP requests. I've attached the file (router-buf_www.txt). I then changed my access list to my FTP server, cleared the buffer, and reran the same test. When I look at the packet capture I don't see any data, it is completely empty.
A couple things I've noticed but not sure about:
- Sometimes when I ping or traceroute my FTP site the response back is: Reply from 24.10.211.128: Destination host unreachable. instead of Request timed out.
- In the packet capture of the web server I only see echo reply's. Shouldn't I be seeing the echo requests too? Why would I not see these? Is that something to do with the capture buffer and/or point?
