Ftp through cisco 1721, ios 12.2

[tracydfl]

Hey guys,

I'm trying to ftp into my webserver. For some reason it's not working. I've read other forums and have tried there suggestions and nothing seems to work. I permit ports 20-21. And I have the line "permit tcp any host X.X.X.X gt 1023 established in my acl".

I'm also nat'ing, do i need anything define in my nat commands for the higher ports?

If I show the statistics for my access-list, I see matches for all three lines: ftp, ftp-data and ports > 1023.

What am I missing?

Thanks.

 

[fmonteiro]

It depends where you are positioning your access-list and if they are input or output. It would be better if you post your access-lists and the interfaces configuration. You may also take a look at this very good material (for beginners:

http://www.cisco.com/warp/customer/105/ACLsamples.html

 

[tracydfl]

The error message I get now is "A socket operation was attempted to an unreachable network" using Smart FTP.

Here is my Config... I have my ACL on my incoming side of S0.

Cisco1721#sh run
Building configuration...

Current configuration : 4657 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
!
!
ip subnet-zero
!
!
no ip domain-lookup
!
ip inspect max-incomplete high 1100
ip inspect one-minute high 1100
ip inspect name FastEthernet_0 tcp
ip inspect name FastEthernet_0 udp
ip inspect name FastEthernet_0 cuseeme
ip inspect name FastEthernet_0 ftp
ip inspect name FastEthernet_0 h323
ip inspect name FastEthernet_0 rcmd
ip inspect name FastEthernet_0 realaudio
ip inspect name FastEthernet_0 smtp
ip inspect name FastEthernet_0 streamworks
ip inspect name FastEthernet_0 vdolive
ip inspect name FastEthernet_0 sqlnet
ip inspect name FastEthernet_0 tftp
ip inspect name Serial_0 udp
ip inspect name Serial_0 smtp
ip inspect name Serial_0 tcp
ip inspect name Serial_0 ftp
ip audit notify log
ip audit po max-events 100
ip ssh time-out 120
ip ssh authentication-retries 3
!
!
!
!
interface FastEthernet0
description connected to My Company
ip address x.x.x.x 255.255.255.0
ip access-group 100 in
ip nat inside
ip inspect FastEthernet_0 in
speed auto
!
interface Serial0
description connected to Internet
ip address x.x.x.x 255.255.255.252
ip access-group 106 in
ip nat outside
ip inspect Serial_0 in
encapsulation ppp
!
router rip
version 2
passive-interface Serial0
network x.x.x.x
no auto-summary
!
ip nat pool Cisco1721-natpool-1 x.x.x.x x.x.x.x netmask 255.255.25
5.240
ip nat inside source list 1 pool Cisco1721-natpool-1 overload
ip nat inside source static tcp x.x.x.x 110 x.x.x.x 110 extendable
ip nat inside source static tcp x.x.x.x 25 x.x.x.x 25 extendable
ip nat inside source static tcp x.x.x.x 80 x.x.x.x 80 extendable
ip nat inside source static udp x.x.x.x 53 x.x.x.x 53 extendable
ip nat inside source static tcp x.x.x.x 110 x.x.x.x 110 extendable
ip nat inside source static tcp x.x.x.x 25 x.x.x.x 25 extendable
ip nat inside source static tcp x.x.x.x 80 x.x.x.x 80 extendable
ip nat inside source static udp x.x.x.x 53 x.x.x.x 53 extendable
ip nat inside source static tcp x.x.x.x 46 x.x.x.x 46 extendable
ip nat inside source static tcp x.x.x.x 80 x.x.x.x 80 extendable
ip nat inside source static tcp x.x.x.x 20 x.x.x.x 20 extendable
ip nat inside source static udp x.x.x.x 53 x.x.x.x 53 extendable
ip nat inside source static tcp x.x.x.x 3389 x.x.x.x 3389 extendable
ip nat inside source static tcp x.x.x.x 1494 x.x.x.x 1494 extendable
ip nat inside source static udp x.x.x.x 1604 x.x.x.x 1604 extendable
ip nat inside source static tcp x.x.x.x 80 x.x.x.x 80 extendable
ip nat inside source static tcp x.x.x.x 3389 x.x.x.x 3389 extendable

ip nat inside source static tcp x.x.x.x 20 x.x.x.x 20 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0
no ip http server
ip pim bidir-enable
!
!
access-list 1 permit x.x.x.x 0.0.0.255
access-list 100 permit ip any any
access-list 106 permit udp any host x.x.x.x eq domain
access-list 106 permit tcp any host x.x.x.x eq www
access-list 106 permit tcp any host x.x.x.x eq smtp
access-list 106 permit tcp any host x.x.x.x eq pop3
access-list 106 permit tcp any host x.x.x.x range ftp-data ftp established
access-list 106 permit tcp any host x.x.x.x gt 1023 established
access-list 106 permit tcp any host x.x.x.x eq 46
access-list 106 permit udp any host x.x.x.x eq 1604
access-list 106 permit tcp any host x.x.x.x eq 1494
access-list 106 permit tcp any host x.x.x.x eq www
access-list 106 permit tcp any host x.x.x.x eq 3389
access-list 106 permit tcp any host x.x.x.x eq www
access-list 106 permit udp any host x.x.x.x eq domain
access-list 106 permit tcp any host x.x.x.x range ftp-data ftp established
access-list 106 permit tcp any host x.x.x.x gt 1023 established
access-list 106 permit tcp any host x.x.x.x eq 3389
access-list 106 permit tcp any host x.x.x.x eq smtp
access-list 106 permit tcp any host x.x.x.x eq pop3
!
snmp-server location My Company
snmp-server contact Me
banner motd ^CUnauthorized Access is prohibited.

If you have no business being here, then leave.

Thank You, Have a wonderful day.^C
!
line con 0
exec-timeout 0 0

login
line aux 0
line vty 0 4

login
!
end

 

[fmonteiro]

Double check you ip nat static commands. It could be a typo
but the above config show port 25 two times and does not show port 21. I am assuming you do not have this error.

Your access-list states a ftp connections established, as an input access-list. This could not work. Delete the established statement for the FTP entries and test it again.

 

[tracydfl]

The two port 25's are correct but you are right that I don't have any port 21 translations. How do I add a static nat, I used configmaker for the original config and haven't found any info on how to add a nat static command to the pool.

 

[tracydfl]

I figured out how to add the nat mapping to s0. After adding port 21, ftp worked, oversite on my part.