Nat problem

[gpetrom]

Hi everyone

I have a 2801 router that I have made a vpn connection with an 877 router. I have an ftp server that I want to connect throw the public ip address. I have made this with this statement

ip nat inside source static tcp 100.100.101.9 21 ***.***.***.*** 21 extendable

The problem is when i am trying to do a ftp connection throw
the vpn it fails.
When i remove the above statement it works fine
Can someone help me with this.

Thanks all in advanced

Sorry if my English are bad


Thanks all in advanced

Sorry if my english are bad

 

[KiscoKid]

FTP is a strange beast and it has the potential to any number of TCP ports depending on what kind of FTP server you have

If your server is a passive FTP server, you need to map port 21 and any port over 1023. This is the most common.

Similarly if your FTP server is an active FTP server, you should only need to map TCP ports 21 and 20.

I recently provided a solution to another Tek-tipper about how to NAT multiple ports for a passive FTP server. That solution can be found here:

http://www.tek-tips.com/viewthread.cfm?qid=1298110

Of course if your server is an active FTP server, you just need to add an additional NAT statement to capture port 20 also, i.e.:

ip nat inside source static tcp 100.100.101.9 20 ***.***.***.*** 20 extendable


Another alternative solution to all the above of course is simply to assign a spare public IP address just for use by the FTP server, i.e.:

ip nat inside source static 100.100.101.10 ***.***.***.***

 

[DanInRaleigh]

..are you trying to ftp through the vpn tunnel?
....yes, no, doesnt matter as long as it works...

http://www.daniel-white.com

 

[gpetrom]

Hi everyone

Thanks for replying

Yes i am trying to do an ftp connection through the vpn tunnel
and it does not work
When i remove the statement i was telling in the previous post
it works

Thanks all in advanced

Sorry if my english are bad

 

[DanInRaleigh]

..ok...
...can you ping that ftp servers private ip address.
....and when you cannot...you have proven some type of routing problem..like that ftp server does not know how to route to your vpn's client ip address.

..and your english is better than mine..and i'm english

http://www.daniel-white.com

 

[gpetrom]

Hi DanInRaleigh

Thanks for replying

Yes i can ping the ftp server i don t think that is routing
problem because i get replies from the server and when i remove the nat statement it works fine.
I think that i have to do that statement with a route map that it will deny to forward packets when it see private networks but i dont know how can i do that.

 

[DanInRaleigh]

..ok ..so its not routing..

..post your config...take out passwords...

http://www.daniel-white.com

 

[UnaBomber]

Is the end of the VPN tunnel and the Static NAT statement using the same Public IP address?

UnaBomber
ccnp mcse2k

 

[gpetrom]

Thanks for replying

Yes they are using the same public ip address and that i think
is the problem

Thanks all in advanced

 

[UnaBomber]

Honestly, this seems a toughy, but I would suggest that it is to do with the usual NAT and IPSEC compatibility problems, it doesnt seem obviously this because the VPN tunnel isnt going through the router but landing on it:

http://www.ietf.org/rfc/rfc3715.txt

Post your 2800 config and I would also suggest you debug the VPN tunnel and see if you can see at which point it drops

UnaBomber
ccnp mcse2k