I can conect to the server in the subnet (ftp 192.168.0.12).

In the site http://www.canyouseeme.org/ I can't access port 21.

Pedro

Pedro,

These addresses, the 192.168.x.y addresses, are not routable across the Internet. If you are asking canyouseeme.org to connect to 192.168.0.12, then I'm sure it cannot see you.

Kevin Dorrell

Luxembourg

Miss Understand.

First you ask if I can reach the server from the subnet. OK I can. By the address 192.168.0.x.

Then, with no conection, I say that cant reach the ftp port from the internet with the IP address given by ISP.

Sorry about the misunderstanding.

Studying your config again, I see what you are trying to do, but it's not a configuration I have any experience with yet. However, I have found a TAC paper about it, and I shall read it to see if it gives any clues what could be going wrong here. Here it is:

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080093f31.shtml

Kevin Dorrell

Luxembourg

Pedro,

I was thinking more about your problem. I don't see anything wrong with the config, but I can suggest some debugging steps.

If you do a show ip nat translations, do you see the static entry for the FTP? If not, I would try removing the dynamic translation, and see if the static one turns up. If you do see the static entry, I would try a debug ip nat, and try again from canyouseeme.org. Warning: when you do this everything gets process switched, so the CPU takes a dive.

The example in the document I gave you is almost exactly the same as yours except for the port number and the fact that that specify the inside global address whereas you take it from the negotiated IP address of the dialer interface. I think it should work, but you could try setting up the call, reading your negotiated address, then putting it directly in the static NAT command. Just to see if the problem is related to getting the negotiated address from a dialer interface.

Clearly the dialer call has to be established before canyouseeme.org can see your site, unless you have some agreement with your ISP about placing incoming calls.

Let me know how you get on.

Kevin Dorrell

Luxembourg

It works!!!

If I try from outside it works.

If I do it inside (from a computer in the subnet 192.168.0.x) don't work.

It is normal?

Thanks for the help.

Which bit got it working, removing the dynamic NAT, or specifying the IP address expicitly on the static NAT?

I guess it wouldn't work from the inside. If you are addressing the router's own IP address, the connection would terminate on the router. It's complicated, and I'll have to think it through.

Kevin Dorrell

Luxembourg

Hi, sorry for the late in the reply.

this is the actual configuration, i do nothing.

Itn the first don't work because I try inside with the global address.

Thaks for the help.

Pedro

!

version 12.2

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname XXXXX

!

no logging buffered

enable secret 5 XXXXX/

!

ip subnet-zero

!

ip inspect name myfw cuseeme timeout 3600

ip inspect name myfw ftp timeout 3600

ip inspect name myfw rcmd timeout 3600

ip inspect name myfw realaudio timeout 3600

ip inspect name myfw smtp timeout 3600

ip inspect name myfw tftp timeout 30

ip inspect name myfw udp timeout 15

ip inspect name myfw tcp timeout 3600

ip inspect name myfw h323 timeout 3600

ip urlfilter alert

ip audit notify log

ip audit po max-events 100

!

!

!

!

!

!

interface Ethernet0

ip address 192.168.0.1 255.255.255.0

ip nat inside

ip tcp adjust-mss 1452

!

interface BRI0

no ip address

shutdown

!

interface ATM0

no ip address

atm vc-per-vp 64

no atm ilmi-keepalive

pvc 0/35

pppoe-client dial-pool-number 1

!

dsl operating-mode etsi

!

interface Dialer1

ip address negotiated

ip access-group 111 in

ip mtu 1492

ip nat outside

ip inspect myfw out

encapsulation ppp

ip tcp adjust-mss 1452

dialer pool 1

dialer remote-name redback

dialer-group 1

ppp authentication pap chap callin

ppp chap hostname XXXXX

ppp chap password 0 XXXXX

ppp pap sent-username XXXXX password 0 XXXXX

!

ip nat translation timeout 900

ip nat translation tcp-timeout 900

ip nat translation max-entries 1000

ip nat inside source list 101 interface Dialer1 overload

ip nat inside source static tcp 192.168.0.7 20 interface Dialer1 20

ip nat inside source static tcp 192.168.0.7 21 interface Dialer1 21

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer1

ip http server

no ip http secure-server

!

!

access-list 101 permit ip 192.168.0.0 0.0.0.255 any

access-list 111 permit icmp any any administratively-prohibited

access-list 111 permit icmp any any echo

access-list 111 permit icmp any any echo-reply

access-list 111 permit icmp any any packet-too-big

access-list 111 permit icmp any any time-exceeded

access-list 111 permit icmp any any traceroute

access-list 111 permit icmp any any unreachable

access-list 111 permit udp any eq bootps any eq bootpc

access-list 111 permit udp any eq bootps any eq bootps

access-list 111 permit udp any eq domain any

access-list 111 permit esp any any

access-list 111 permit udp any any eq isakmp

access-list 111 permit udp any any eq 10000

access-list 111 permit tcp any any eq 1723

access-list 111 permit tcp any any eq 139

access-list 111 permit tcp any any eq ftp

access-list 111 permit tcp any any eq ftp-data

access-list 111 permit udp any any eq netbios-ns

access-list 111 permit udp any any eq netbios-dgm

access-list 111 permit gre any any

access-list 111 deny ip any any

dialer-list 1 protocol ip permit

!

line con 0

stopbits 1

line vty 0 4

access-class 23 in

exec-timeout 120 0

password XXXXX

login local

length 0

!

scheduler max-task-time 5000

!

end