Let me first state I am NO Cisco expert to say the least - more like a TOTAL newbi.
But here it goes
My company is trying to do SSL over FTP from our AS400 using TrailBlazer software threw our Cisco 2600
Now the Cisco was set up before I became employeed here. I have done basic stuff - and never had a problem.
The Cisco set up is Really basic and we Run NAT.
At first the AS400 could not be contacted threw FTP - that was an easy fix - there was no NAT statement for the AS400's external IP address and port 21. I added the NAT statement and FTP works.
Now they are trying to do SSL over FTP to the AS400 with Passive mode *NO - the AS400 connects to the remote FTP site,Authenticates, and looks like all is well. Problem is when a List command is sent no data is able to get back to the AS400.
The error message that the AS400 JobLog show is -
connection time out - can not Negotiate
In Passive Mode *Yes it works fine. But the vendor requires Passive Mode *No for production data.
The software vednor is saying the port is not open, or not open for SSL - but FTP works, SSL works in Passive mode *YES. So i cant see how it could be our Cisco router.
Here is the current config of the Router - I have removed any IP address to protect my CO, and have not included the NAT statements for my other servers.
Current configuration:
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname XXXXXXXXXXX
!
enable secret
enable password
!
ip subnet-zero
no ip source-route
no ip finger
!
!
!
!
!
interface Ethernet0/0
ip address 10.XX.X.X 255.255.255.0
no ip directed-broadcast
ip nat inside
no ip route-cache
no ip mroute-cache
!
interface Serial0/0
description To UUNET (wcomXXXXXXXX)
no ip address
no ip directed-broadcast
encapsulation frame-relay IETF
no ip route-cache
no ip mroute-cache
bandwidth 1536
no fair-queue
service-module t1 timeslots 1-24
frame-relay lmi-type ansi
!
interface Serial0/0.1 point-to-point
ip address 63.XXX.XXX.XXX 255.255.255.XXX
no ip directed-broadcast
ip nat outside
no ip route-cache
no ip mroute-cache
bandwidth 1536
frame-relay interface-dlci 500 IETF
!
ip nat pool internet 208.XXX.XX.XXX 208.XXX.XX.XXX netmask 255.255.255.XXX
ip nat inside source list 1 pool internet overload
ip nat inside source static tcp 10.XX.XX.XX 21 208.XXX.XX.XX 21 extendable (THIS IS THE AS400)
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0.1
access-list 1 permit 10.XX.X.X 0.0.0.255
!
line con 0
exec-timeout 0 0
password
transport input none
line 33
session-timeout 900
autoselect ppp
absolute-timeout 900
login local
modem InOut
modem autoconfigure discovery
transport preferred none
transport input all
stopbits 1
flowcontrol hardware
line 34 40
autoselect ppp
login local
modem InOut
modem autoconfigure discovery
transport input all
stopbits 1
flowcontrol hardware
flowcontrol hardware
line aux 0
password
line vty 0 4
password
login
!
end
Am I missing some thing in order to allow SSL over FTP to the AS400 with Passive mode *NO???
The vendor is saying its our router that is not allowing this communication.
But here it goes
My company is trying to do SSL over FTP from our AS400 using TrailBlazer software threw our Cisco 2600
Now the Cisco was set up before I became employeed here. I have done basic stuff - and never had a problem.
The Cisco set up is Really basic and we Run NAT.
At first the AS400 could not be contacted threw FTP - that was an easy fix - there was no NAT statement for the AS400's external IP address and port 21. I added the NAT statement and FTP works.
Now they are trying to do SSL over FTP to the AS400 with Passive mode *NO - the AS400 connects to the remote FTP site,Authenticates, and looks like all is well. Problem is when a List command is sent no data is able to get back to the AS400.
The error message that the AS400 JobLog show is -
connection time out - can not Negotiate
In Passive Mode *Yes it works fine. But the vendor requires Passive Mode *No for production data.
The software vednor is saying the port is not open, or not open for SSL - but FTP works, SSL works in Passive mode *YES. So i cant see how it could be our Cisco router.
Here is the current config of the Router - I have removed any IP address to protect my CO, and have not included the NAT statements for my other servers.
Current configuration:
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname XXXXXXXXXXX
!
enable secret
enable password
!
ip subnet-zero
no ip source-route
no ip finger
!
!
!
!
!
interface Ethernet0/0
ip address 10.XX.X.X 255.255.255.0
no ip directed-broadcast
ip nat inside
no ip route-cache
no ip mroute-cache
!
interface Serial0/0
description To UUNET (wcomXXXXXXXX)
no ip address
no ip directed-broadcast
encapsulation frame-relay IETF
no ip route-cache
no ip mroute-cache
bandwidth 1536
no fair-queue
service-module t1 timeslots 1-24
frame-relay lmi-type ansi
!
interface Serial0/0.1 point-to-point
ip address 63.XXX.XXX.XXX 255.255.255.XXX
no ip directed-broadcast
ip nat outside
no ip route-cache
no ip mroute-cache
bandwidth 1536
frame-relay interface-dlci 500 IETF
!
ip nat pool internet 208.XXX.XX.XXX 208.XXX.XX.XXX netmask 255.255.255.XXX
ip nat inside source list 1 pool internet overload
ip nat inside source static tcp 10.XX.XX.XX 21 208.XXX.XX.XX 21 extendable (THIS IS THE AS400)
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0.1
access-list 1 permit 10.XX.X.X 0.0.0.255
!
line con 0
exec-timeout 0 0
password
transport input none
line 33
session-timeout 900
autoselect ppp
absolute-timeout 900
login local
modem InOut
modem autoconfigure discovery
transport preferred none
transport input all
stopbits 1
flowcontrol hardware
line 34 40
autoselect ppp
login local
modem InOut
modem autoconfigure discovery
transport input all
stopbits 1
flowcontrol hardware
flowcontrol hardware
line aux 0
password
line vty 0 4
password
login
!
end
Am I missing some thing in order to allow SSL over FTP to the AS400 with Passive mode *NO???
The vendor is saying its our router that is not allowing this communication.
