Let me first state I am NO Cisco expert to say the least - more like a TOTAL newbi. And I am Reposting this message again because I can not find a solution.
But here it goes
My company is trying to do SSL over FTP from our AS400 using TrailBlazer software threw our Cisco 2600
Now the Cisco was set up before I became employeed here. I have done basic stuff - and never had a problem.
The Cisco set up is Really basic and we Run NAT. There are NO FILTERS in place as far as I can tell from the config.
At first the AS400 could not be contacted threw FTP - that was an easy fix - there was no NAT statement for the AS400's external IP address and port 20/21. I added the NAT statement and FTP works. Did not have ANY PROBLEMS UNTILL...
Now they are trying to do SSL over FTP to the AS400 with Passive mode *NO - the AS400 connects to the remote FTP site,Authenticates, and looks like all is well. Problem is when a List command is sent no data is able to get back to the AS400.
The error message that the AS400 JobLog show is -
connection time out - can not Negotiate
In Passive Mode *Yes it works fine. But the vendor requires Passive Mode *No for production data.
The software vednor is saying the port is not open, or not open for SSL - but FTP works, SSL works in Passive mode *YES. So i cant see how it could be our Cisco router.
The vendor needs to come back to our AS400 on certain ports - 100X1 to 100X6. So I created NAT statements for the external AS400 address for these ports.
Here is the current config of the Router - I have removed any IP address to protect my CO, and have not included the NAT statements for my other servers.
Current configuration:
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname XXXXXXXXXXX
!
enable secret
enable password
!
ip subnet-zero
no ip source-route
no ip finger
!
!
!
!
!
interface Ethernet0/0
ip address 10.XX.X.X 255.255.255.0
no ip directed-broadcast
ip nat inside
no ip route-cache
no ip mroute-cache
!
interface Serial0/0
description To UUNET (wcomXXXXXXXX)
no ip address
no ip directed-broadcast
encapsulation frame-relay IETF
no ip route-cache
no ip mroute-cache
bandwidth 1536
no fair-queue
service-module t1 timeslots 1-24
frame-relay lmi-type ansi
!
interface Serial0/0.1 point-to-point
ip address 63.XXX.XXX.XXX 255.255.255.XXX
no ip directed-broadcast
ip nat outside
no ip route-cache
no ip mroute-cache
bandwidth 1536
frame-relay interface-dlci 500 IETF
!
ip nat pool internet 208.XXX.XX.XXX 208.XXX.XX.XXX netmask 255.255.255.XXX
ip nat inside source list 1 pool internet overload
ip nat inside source static tcp 10.XX.XX.XX 21 208.XXX.XX.XX 21 extendable (THIS IS THE AS400)
ip nat inside source static tcp 10.XX.XX.XX 20 208.XXX.XX.XX 20 extendable (THIS IS THE AS400)
ip nat inside source static tcp 10.XX.X.X 10021 208.XX.XX.XXX 100X1 extendable (THIS IS THE AS400)
ip nat inside source static tcp 10.XX.X.X 10021 208.XX.XX.XXX 100X2 extendable (THIS IS THE AS400)
ip nat inside source static tcp 10.XX.X.X 10021 208.XX.XX.XXX 100X3 extendable (THIS IS THE AS400)
ip nat inside source static tcp 10.XX.X.X 10021 208.XX.XX.XXX 100X4 extendable (THIS IS THE AS400)
ip classless
ip nat inside source static tcp 10.XX.X.X 10021 208.XX.XX.XXX 100X5 extendable (THIS IS THE AS400)
ip nat inside source static tcp 10.XX.X.X 10021 208.XX.XX.XXX 100X6 extendable (THIS IS THE AS400)
ip route 0.0.0.0 0.0.0.0 Serial0/0.1
access-list 1 permit 10.XX.X.X 0.0.0.255
!
line con 0
exec-timeout 0 0
password
transport input none
line 33
session-timeout 900
autoselect ppp
absolute-timeout 900
login local
modem InOut
modem autoconfigure discovery
transport preferred none
transport input all
stopbits 1
flowcontrol hardware
line 34 40
autoselect ppp
login local
modem InOut
modem autoconfigure discovery
transport input all
stopbits 1
flowcontrol hardware
flowcontrol hardware
line aux 0
password
line vty 0 4
password
login
!
end
Am I missing some thing in order to allow SSL over FTP to the AS400 with Passive mode *NO???
The vendor is saying its our router that is not allowing this communication.
I did Find this from the Cisco site -
But it clearly states -
If you are using a private internal network and using NAT (Network Address Translation) to get out to the Internet, then you will have a problem accessing Normal Mode FTP servers on the Internet. Passive Mode FTP servers are firewall friendly and you should have no problems with them. If the FTP server is on your internal network, then you will need to do some NAT Mapping in order to get it access. NAT Mapping is the answer to accessing Normal Mode FTP servers on the internet also. You will need to Map an external address to every internal address you wish to use Normal Mode FTP out to the Internet.
And thats Excatly what I have done. So why is the vendor still pointing fingers at me??
I dont have a filter in place because FTP Passive over 20 and 21 work fine. The article says you will only have to add permit lines if you have a filter. As I have said as far as my configuration looks I have no filter and this is backed up by FTP Passive working.
ANy help
???
But here it goes
My company is trying to do SSL over FTP from our AS400 using TrailBlazer software threw our Cisco 2600
Now the Cisco was set up before I became employeed here. I have done basic stuff - and never had a problem.
The Cisco set up is Really basic and we Run NAT. There are NO FILTERS in place as far as I can tell from the config.
At first the AS400 could not be contacted threw FTP - that was an easy fix - there was no NAT statement for the AS400's external IP address and port 20/21. I added the NAT statement and FTP works. Did not have ANY PROBLEMS UNTILL...
Now they are trying to do SSL over FTP to the AS400 with Passive mode *NO - the AS400 connects to the remote FTP site,Authenticates, and looks like all is well. Problem is when a List command is sent no data is able to get back to the AS400.
The error message that the AS400 JobLog show is -
connection time out - can not Negotiate
In Passive Mode *Yes it works fine. But the vendor requires Passive Mode *No for production data.
The software vednor is saying the port is not open, or not open for SSL - but FTP works, SSL works in Passive mode *YES. So i cant see how it could be our Cisco router.
The vendor needs to come back to our AS400 on certain ports - 100X1 to 100X6. So I created NAT statements for the external AS400 address for these ports.
Here is the current config of the Router - I have removed any IP address to protect my CO, and have not included the NAT statements for my other servers.
Current configuration:
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname XXXXXXXXXXX
!
enable secret
enable password
!
ip subnet-zero
no ip source-route
no ip finger
!
!
!
!
!
interface Ethernet0/0
ip address 10.XX.X.X 255.255.255.0
no ip directed-broadcast
ip nat inside
no ip route-cache
no ip mroute-cache
!
interface Serial0/0
description To UUNET (wcomXXXXXXXX)
no ip address
no ip directed-broadcast
encapsulation frame-relay IETF
no ip route-cache
no ip mroute-cache
bandwidth 1536
no fair-queue
service-module t1 timeslots 1-24
frame-relay lmi-type ansi
!
interface Serial0/0.1 point-to-point
ip address 63.XXX.XXX.XXX 255.255.255.XXX
no ip directed-broadcast
ip nat outside
no ip route-cache
no ip mroute-cache
bandwidth 1536
frame-relay interface-dlci 500 IETF
!
ip nat pool internet 208.XXX.XX.XXX 208.XXX.XX.XXX netmask 255.255.255.XXX
ip nat inside source list 1 pool internet overload
ip nat inside source static tcp 10.XX.XX.XX 21 208.XXX.XX.XX 21 extendable (THIS IS THE AS400)
ip nat inside source static tcp 10.XX.XX.XX 20 208.XXX.XX.XX 20 extendable (THIS IS THE AS400)
ip nat inside source static tcp 10.XX.X.X 10021 208.XX.XX.XXX 100X1 extendable (THIS IS THE AS400)
ip nat inside source static tcp 10.XX.X.X 10021 208.XX.XX.XXX 100X2 extendable (THIS IS THE AS400)
ip nat inside source static tcp 10.XX.X.X 10021 208.XX.XX.XXX 100X3 extendable (THIS IS THE AS400)
ip nat inside source static tcp 10.XX.X.X 10021 208.XX.XX.XXX 100X4 extendable (THIS IS THE AS400)
ip classless
ip nat inside source static tcp 10.XX.X.X 10021 208.XX.XX.XXX 100X5 extendable (THIS IS THE AS400)
ip nat inside source static tcp 10.XX.X.X 10021 208.XX.XX.XXX 100X6 extendable (THIS IS THE AS400)
ip route 0.0.0.0 0.0.0.0 Serial0/0.1
access-list 1 permit 10.XX.X.X 0.0.0.255
!
line con 0
exec-timeout 0 0
password
transport input none
line 33
session-timeout 900
autoselect ppp
absolute-timeout 900
login local
modem InOut
modem autoconfigure discovery
transport preferred none
transport input all
stopbits 1
flowcontrol hardware
line 34 40
autoselect ppp
login local
modem InOut
modem autoconfigure discovery
transport input all
stopbits 1
flowcontrol hardware
flowcontrol hardware
line aux 0
password
line vty 0 4
password
login
!
end
Am I missing some thing in order to allow SSL over FTP to the AS400 with Passive mode *NO???
The vendor is saying its our router that is not allowing this communication.
I did Find this from the Cisco site -
But it clearly states -
If you are using a private internal network and using NAT (Network Address Translation) to get out to the Internet, then you will have a problem accessing Normal Mode FTP servers on the Internet. Passive Mode FTP servers are firewall friendly and you should have no problems with them. If the FTP server is on your internal network, then you will need to do some NAT Mapping in order to get it access. NAT Mapping is the answer to accessing Normal Mode FTP servers on the internet also. You will need to Map an external address to every internal address you wish to use Normal Mode FTP out to the Internet.
And thats Excatly what I have done. So why is the vendor still pointing fingers at me??
I dont have a filter in place because FTP Passive over 20 and 21 work fine. The article says you will only have to add permit lines if you have a filter. As I have said as far as my configuration looks I have no filter and this is backed up by FTP Passive working.
ANy help
???