Passive FTP not working Cisco 871 2

[evob]

Hi,

I've been searching the internet for a solution for my "Passive FTP problem"
I cannot get passive ftp to work (active ftp works).

I have a proftpd ftp server behind the cisco 871, so i did a portforward to the machine:

ip nat inside source static tcp 192.168.150.2 20 193.34.88.123 20 extendable
ip nat inside source static tcp 192.168.150.2 21 193.34.88.123 21 extendable

And i made these accesslists:

access-list 101 permit tcp any any eq ftp log
access-list 101 permit tcp any any eq ftp-data log

From what i understand is that the "extendable thing" should allow passive ftp sessions.

Am i right? If not, what am i doing wrong?

Thanks,

evob

version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname router
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
logging console critical
enable secret mysecret
!
aaa new-model
!
!         
aaa authentication login default local
aaa authorization exec default local 
aaa authorization network sdm_vpn_group_ml_1 local 
aaa authorization network sdm_vpn_group_ml_2 local 
aaa authorization network sdm_vpn_group_ml_3 local 
!
aaa session-id common
!
resource policy
!
clock timezone PCTime 1
clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00
ip subnet-zero
no ip source-route
ip cef
!
!
!
!
ip tcp synwait-time 10
no ip bootp server
ip domain name publi.nl
ip name-server 192.168.150.1
ip ssh time-out 60
ip ssh authentication-retries 2
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip inspect name DEFAULT100 ftp
!
!
crypto pki trustpoint TP-self-signed-37082852
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-37082852
 revocation-check none
 rsakeypair TP-self-signed-37082852
!
!
crypto pki certificate chain TP-self-signed-37082852
 certificate self-signed 01
Blabla Blabla....
  quit
username admin privilege 15 secret mysecret
!
! 
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key MyKey address 133.204.210.193
!
crypto isakmp client configuration group Thegroup
 key groupKey
 pool SDM_POOL_1
 acl 102
 include-local-lan
crypto isakmp profile sdm-ike-profile-1
   match identity group polder
   isakmp authorization list sdm_vpn_group_ml_3
   client configuration address respond
   virtual-template 1
!         
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac 
!
crypto ipsec profile SDM_Profile1
 set transform-set ESP-3DES-SHA2 
 set isakmp-profile sdm-ike-profile-1
!
!
crypto map SDM_CMAP_1 1 ipsec-isakmp 
 description Tunnel to133.204.210.193
 set peer 133.204.210.193
 set transform-set ESP-3DES-SHA ESP-3DES-SHA1 
 set pfs group2
 match address 105
!
bridge irb
!
!
!
interface Loopback0
 ip address 10.180.180.254 255.255.255.0
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
 description $FW_OUTSIDE$$ES_WAN$
 ip address dhcp client-id FastEthernet4
 ip access-group 101 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip inspect DEFAULT100 out
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 crypto map SDM_CMAP_1
!
interface Virtual-Template1 type tunnel
 ip unnumbered Loopback0
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile SDM_Profile1
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
 ip address 192.168.150.253 255.255.255.0
 ip access-group 100 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1412
!
ip local pool SDM_POOL_1 10.180.180.30 10.180.180.60
ip classless
ip route 0.0.0.0 0.0.0.0 194.109.23.67
!
!         
no ip http server
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source static tcp 192.168.150.1 3389 interface FastEthernet4 3389
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.150.1 80 interface FastEthernet4 80
ip nat inside source static tcp 192.168.150.1 25 interface FastEthernet4 25
ip nat inside source static tcp 192.168.150.2 20 193.34.88.123 20 extendable
ip nat inside source static tcp 192.168.150.2 21 193.34.88.123 21 extendable
!
ip access-list extended SSH
 permit tcp any any eq 22 log
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=1
access-list 1 permit 192.168.150.0 0.0.0.255
access-list 100 remark SDM_ACL Category=1
access-list 100 permit udp any host 192.168.150.253 eq non500-isakmp
access-list 100 permit udp any host 192.168.150.253 eq isakmp
access-list 100 permit esp any host 192.168.150.253
access-list 100 permit ahp any host 192.168.150.253
access-list 100 permit ip 192.168.150.0 0.0.0.255 any
access-list 100 remark auto generated by Cisco SDM Express firewall configuration
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark SDM_ACL Category=19
access-list 101 remark IPSec Rule
access-list 101 deny   ip 192.168.150.0 0.0.0.255 192.168.160.0 0.0.0.255
access-list 101 remark IPSec Rule
access-list 101 permit ip 192.168.150.0 0.0.0.255 192.168.160.0 0.0.0.255
access-list 101 remark IPSec Rule
access-list 101 permit ip 192.168.160.0 0.0.0.255 192.168.150.0 0.0.0.255
access-list 101 permit udp host 133.204.210.193 any eq non500-isakmp
access-list 101 permit udp host 133.204.210.193 any eq isakmp
access-list 101 permit esp host 133.204.210.193 any
access-list 101 permit ahp host 133.204.210.193 any
access-list 101 permit udp any any eq non500-isakmp
access-list 101 permit udp any any eq isakmp
access-list 101 permit esp any any
access-list 101 permit ahp any any
access-list 101 permit udp any eq bootps any eq bootpc
access-list 101 permit ip 192.168.150.0 0.0.0.255 any
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 permit tcp any any eq 22 log
access-list 101 permit tcp host 133.204.210.193 any eq 3389 log
access-list 101 permit tcp host 233.44.5.179 any eq 3389 log
access-list 101 permit tcp any any eq [URL unfurl="true"]www log[/URL]
access-list 101 permit tcp any any eq ftp log
access-list 101 permit tcp any any eq ftp-data log
access-list 101 permit tcp any any eq smtp log
access-list 102 remark SDM_ACL Category=4
access-list 102 permit ip host 192.168.150.4 any
access-list 103 permit tcp any any eq 22 log
access-list 104 permit tcp any any eq 443 log
access-list 105 remark SDM_ACL Category=4
access-list 105 remark IPSec Rule
access-list 105 permit ip 192.168.150.0 0.0.0.255 192.168.160.0 0.0.0.255
no cdp run
!         
route-map SDM_RMAP_1 permit 1
 match ip address 101
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner login ^CCCAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 no modem enable
 transport output telnet
line aux 0
 transport output telnet
line vty 0 4
 access-class 103 in
 terminal-type ssh
 transport preferred ssh
 transport input telnet ssh
 transport output none
!         
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

 

[evob]

I solved it!

I had to inspect incoming ftp.

I did apply the following command on interface FA4

ip inspect DEFAULT100 in

That's it.

case closed.

Thanks!


evob

 

[bgpfreek]

EVOB,


why don't u apply the inspect in on the inside interface, VLAN1?

 

[evob]

Hi bgpfreek,

Why should i do that?
Is it better to place it on the vlan?

Offtopic question:
Does anyone know who is the moderator of this 'cisco router' forum?

thanks,

evob

 

[burtsbees]

I would stick with int fa4, since that's the only interface that the firewall needs to inspect ftp. If you put the ip inspect inbound on vlan1, then the inspect ftp will happen on all interfaces in vlan1. Your only ftp server is on fa4, so I would think that this is the better way to go---leave it as it is.

Burt

 

[mitelritz]

Thanks that really helps alot i thought it was going to take a a bunch of time to get this figured out

 

[F1lby]

Cheers. This fixed my FTP woes....
They don't teach you this on the CCNA.....