FTP server behind Cisco 877w router, customised port

Unanswered Question
Jun 27th, 2007

Hi everyone,

I am setting up an FTP server on Windows Server 2003 behind a Cisco 877w router. As port 21 is used for another server, I use another port (eg. 12345). The server works fine when I am in the LAN. However I can't connect to it from outside. I have checked the following:

- no firewall in my PC and in the server (turned off to test)

- I have enabled port forwarding TCP:12345 on the router (please see the router config)

- I am using SmartFTP client. The error is: [08:56:39] No connection could be made because the target machine actively refused it.

[08:56:39] Client closed the connection.

[08:56:39] Cannot login waiting to retry (30s)...

[08:56:39] Active Help: http://www.smartftp.com/support/kb/index.php/58

My questions are:

1) How can we check which ports are open on a Cisco router?

2) How can we check which ports are open on a PC?

3) Does my router config have the right settings? Why isn't the FTP server working?

I am not sure if this is the right forum, if not, could someone please move this thread? Thank you very much for everyone's help.

Best regards,

Triet

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
kerek@banknet.net Wed, 06/27/2007 - 22:43

Hi,

FTP uses two ports one for control and one for data. YOu have to make NAT for both.

In response to your questions:

1. you can check the NAT translations with

show ip nat translation

2. netstat -a

3. You will have to map the ftp data port to outside IP/Port as well, I don't know whether the IOS FW make a trouble as it does contain ftp statement, but I believe it refers to the standard ports (20/21).

Hope it helps, rate if does

Krisztian

trietgiang Thu, 06/28/2007 - 21:23

Hi Krisztian,

I didn't know FTP uses two ports. Any way, here is what I have done:

- set a passive port range on Windows 2003 from 5500-5700 (TCP) for the data connection

- set a port forwarding on a range of those port , using this thread: http://bc.whirlpool.net.au/forum-replies-archive.cfm/202317.html

< ip nat pool FN_FTP 10.1.1.1 10.1.1.1 netmask 255.255.255.0 type rotary

< ip nat inside source static tcp 10.1.1.1 12345 interface Dialer0 12345

< ip nat inside source route-map FN_RMAP interface Dialer0 overload

< ip nat inside destination list 101 pool FN_FTP

- adjust the ACL

< access-list 101 remark FTP

< access-list 101 permit tcp any host 10.1.1.1 eq 12345

< access-list 101 remark FTP

< access-list 101 permit tcp any range 5500 5700 host 10.1.1.1 range 5500 5700

plus this:

< interface Dialer0

< ip access-group 101 in

The problem is still there. I can't access from the outside. Am I on the right path? Thank you.

Triet

kerek@banknet.net Thu, 06/28/2007 - 23:37

Hi,

I don't see why did you configured destination NAT. This is the way how ftp works:

In active FTP, the client makes an active open to the FTP server at port 21. It uses a port number > 1023 as its port for the control connection. The client then opens a new port (passive open) as its data port and sends this port number across to the server using the PORT command. The server then opens a data connection (active open) to the data port specified in the PORT command of the client. The server uses port 20 as its data connection port.

SO it looks you don't need to specify NAT statement out of the control port (12345).

I think that the IOS FW is configured to receive ftp on port 21/20 and the 12345 is not configured at all. Let's try to bypass the IOS FW for the time of the test to see whether it is causing the problem. If so then the IOS FW should be tuned.

Hope it helps,

Krisztian

Actions

This Discussion