FTP server inside DMZ - Router Config Question 1

[JasperPierce]

I've attempted to allow ftp access to the dmz only buy using the following access-list entries:
access-list 102 permit tcp any 10.1.1.0 0.0.0.255 eq ftp log
access-list 102 permit tcp any 10.1.1.0 0.0.0.255 range 9000 9010


then - noone can get to my ftp server from the outside...

so I tested the following:
access-list 102 permit tcp any any eq ftp log
access-list 102 permit tcp any any range 9000 9010

and of course it worked BUT i'm opening up my entire site on these ports.

Am i mistyping something? Please advise...

 

[UnaBomber]

First up, you havent given enough info.

Anyway -- are you using NAT? And if so how is it configured? Where are you access-lists and in what direction are they configured.

Are you aware that any packet that is going from the outside of your network to the inside will be checked against an ACL on the outside interface, inwards, before it is nated (global to local)?

UnaBomber
ccnp mcse2k

 

[DanInRaleigh]

access-list 100 permit tcp any host (outside_IP) eq ftp


ip nat inside source static tcp (inside_server_IP_address) 21 interface Dialer1 21


interface dialer1 (outside)
ip access-group 100 in


show ip nat translations

Pro Inside global Inside local Outside local Outside global
tcp 10.x.x.x:21 192.x.x.x:21 166.50.198.165:4200 166.50.198.165:4200
tcp 10.x.x.x:21 192.x.x.x:21 166.50.198.165:46919 166.50.198.165:46919
tcp 10.x.x.x:21 192.x.x.x:21 166.50.198.165:46922 166.50.198.165:46922

..only port 21/server ports/ip open for ftp action...

http://www.daniel-white.com

 

[UnaBomber]

Yes exactly, you need to allow for the global address on your ACL or it wont work. He has used his Local address... But I am presuming he has NAT configured 'the right way round'...

UnaBomber
ccnp mcse2k

 

[Ru55ell]

Jasper and Dan must work together. Good job UnaBomber!

 

[DanInRaleigh]

how do you figure Ru55ell?

http://www.daniel-white.com

 

[JasperPierce]

I came for help, not ridicule. Thank you for your posts, i will use what you've given me.

 

[DanInRaleigh]

JasperPierce,
..my configs came form a working scenario..
..dont let that discourage you there is alot of good attitude and technical wisdom on here...

..no offense to Unabomber he provides good attitude/facts/help

.but i think it is the other way around..

..maybe those two work togethor..and you know who is the boss... "good job unabomber"....what is he doing? ..kissing up..trying to get raise.. you know the type..

http://www.daniel-white.com

 

[UnaBomber]

Lets cut out the flaming:

show ip nat translations

Pro Inside global Inside local
tcp 10.x.x.x:21 192.x.x.x:21
tcp 10.x.x.x:21 192.x.x.x:21
tcp 10.x.x.x:21 192.x.x.x:21

I think your acl's and nat statements are a little confusing, because you are changing definitions:

To make it more standard I would suggest the access-list should look like this:

access-list 100 permit tcp any host [Inside_Global] eq ftp

and the nat statement should look like this:

ip nat inside source static tcp [Inside_local] 21 [Inside_global] 21

Because in this example you do not have the ip nat outside cmd configured the outside local & outside global are irrelevant.

The Inside_local address is the *actually* address of the FTP server.
The Inside_Global address is the public IP address (outside IP address) that represents the inside_local ip address to the outside world

UnaBomber
ccnp mcse2k

 

[DanInRaleigh]

..he does work for you...your protecting him now!..


..on my post i was trying to make it easier for JasperPierce but i see what your saying..

xxxxxxxxxxxxxxxx

access-list 100 permit tcp any host (outside_IP) eq ftp

ip nat inside source static tcp (inside_server_IP_address) 21 interface Dialer1 21

xxxxxxxxxxxxxxxxxxxxxxxxxx

..the outside_ip address is "the outside ip address"

the inside_server_ip_address is the actually server ip address
..it doesnt get any simpler to understand than that..


i cut and pasted the "show ip translations" from the router.
...and didnt mean to confuse anybody with that..
..cant help the way the router outputted the data..
..just showing the fact that port 21 is hard coded..and provide another tool for monitoring..

..i will join tim in the hole now....

http://www.daniel-white.com

 

[UnaBomber]

I am not protecting anyone, I am a consultant, nobody works for me

I was pointing out that what you posted was confusing, to me at least, because you didnt use the accepted standard terminology when describing NAT.

The 'outside_IP' term you used would pointed me to think you meant either the outside_global or outside_local addresses in your sh ip nat tran output.

On top of that you have interface dialer within your nat statement not inside_global...

Anyway come out of your hole...

UnaBomber
ccnp mcse2k

 

[DanInRaleigh]

..ok..i know my post are a little confusing at times.
..BUT I UNDERSTAND!!! ;-)

..lets just hope JasperPierce gets something out of it...

..i'm out..see you at the next post..

http://www.daniel-white.com

 

[JasperPierce]

Thank you all for your help, I'll come back with any further questions I might have.. I think I've got a grasp on what's missing.