Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

FTP-SSL - AS400 - NAT and Cisco 2600. Vendor is blameing Me.

Status
Not open for further replies.

SaleenWRX

MIS
Sep 4, 2002
12
US
Let me first state I am NO Cisco expert to say the least - more like a TOTAL newbi.

But here it goes
My company is trying to do SSL over FTP from our AS400 using TrailBlazer software threw our Cisco 2600

Now the Cisco was set up before I became employeed here. I have done basic stuff - and never had a problem.

The Cisco set up is Really basic and we Run NAT.

At first the AS400 could not be contacted threw FTP - that was an easy fix - there was no NAT statement for the AS400's external IP address and port 21. I added the NAT statement and FTP works.

Now they are trying to do SSL over FTP to the AS400 with Passive mode *NO - the AS400 connects to the remote FTP site,Authenticates, and looks like all is well. Problem is when a List command is sent no data is able to get back to the AS400.

The error message that the AS400 JobLog show is -
connection time out - can not Negotiate

In Passive Mode *Yes it works fine. But the vendor requires Passive Mode *No for production data.

The software vednor is saying the port is not open, or not open for SSL - but FTP works, SSL works in Passive mode *YES. So i cant see how it could be our Cisco router.

Here is the current config of the Router - I have removed any IP address to protect my CO, and have not included the NAT statements for my other servers.

Current configuration:
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname XXXXXXXXXXX
!
enable secret
enable password
!
ip subnet-zero
no ip source-route
no ip finger
!
!
!
!
!
interface Ethernet0/0
ip address 10.XX.X.X 255.255.255.0
no ip directed-broadcast
ip nat inside
no ip route-cache
no ip mroute-cache
!
interface Serial0/0
description To UUNET (wcomXXXXXXXX)
no ip address
no ip directed-broadcast
encapsulation frame-relay IETF
no ip route-cache
no ip mroute-cache
bandwidth 1536
no fair-queue
service-module t1 timeslots 1-24
frame-relay lmi-type ansi
!
interface Serial0/0.1 point-to-point
ip address 63.XXX.XXX.XXX 255.255.255.XXX
no ip directed-broadcast
ip nat outside
no ip route-cache
no ip mroute-cache
bandwidth 1536
frame-relay interface-dlci 500 IETF
!
ip nat pool internet 208.XXX.XX.XXX 208.XXX.XX.XXX netmask 255.255.255.XXX
ip nat inside source list 1 pool internet overload
ip nat inside source static tcp 10.XX.XX.XX 21 208.XXX.XX.XX 21 extendable (THIS IS THE AS400)
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0.1
access-list 1 permit 10.XX.X.X 0.0.0.255
!
line con 0
exec-timeout 0 0
password
transport input none
line 33
session-timeout 900
autoselect ppp
absolute-timeout 900
login local
modem InOut
modem autoconfigure discovery
transport preferred none
transport input all
stopbits 1
flowcontrol hardware
line 34 40
autoselect ppp
login local
modem InOut
modem autoconfigure discovery
transport input all
stopbits 1
flowcontrol hardware
flowcontrol hardware
line aux 0
password
line vty 0 4
password
login
!
end


Am I missing some thing in order to allow SSL over FTP to the AS400 with Passive mode *NO???

The vendor is saying its our router that is not allowing this communication.
 
FTP takes TWO ports... port 20 and 21.

# allow established internal connections, required for both FTP Modes
permit 0.0.0.0 0.0.0.0 tcp est
# allow internal access to internet Normal Mode FTP Servers
permit 0.0.0.0 0.0.0.0 tcp src = 20
# allow internet access to an internal FTP Server
permit 0.0.0.0 0.0.0.0 tcp dst = 21
permit 0.0.0.0 0.0.0.0 tcp src > 1023 dst > 1023


See this article


By the way, the vendor should have known this if they insist on passive FTP

MikeS
Find me at
"Take advantage of the enemy's unreadiness, make your way by unexpected routes, and attack unguarded spots."
Sun Tzu
 
He's right, FTP takes ports 20 and 21; however, you need to enable tcp AND udp on those ports.

-Iota
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top