PASSIVE (PASV) FTP on 2811 Router

Unanswered Question
Nov 8th, 2007
User Badges:

Hello,


I need to allow PASSV FTP to outside world so users using internet explorer web browser can access our ftp site.


What command do I do (use) and show example how to enter command...?


Here is what I've done thus far:

*** 9.8.7.6.5 is example of WAN IP ***


1) mapped internal adddress of ftp server to external WAN IP (Nat`d)


ip nat inside source static 192.168.1.10 21 9.8.7.6.5 21


2) modify ACL


permit tcp any host 9.8.7.6 ftp

permit tcp any host 9.8.7.6 ftp-data

permit tcp any host 9.8.7.6 www

permit tcp any host 9.8.7.6 443

permit tcp any host 1.2.3.4 www

permit tcp any host 1.2.3.4 443

permit tcp any host 1.2.3.4 995

permit tcp any host 1.2.3.4 smtp

permit tcp any host 1.2.3.4 587

permit gre any any

permit icmp any any echo-reply

permit esp any any

permit udp any any eq isakmp

permit udp any any eq non500-isakmp

permit udp any any eq 4500

permit udp any any eq 5500

permit udp any any eq 1701

permit udp any any eq 1723

deny ip any any log



your help is appreciated. Thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Pavel Bykov Thu, 11/08/2007 - 05:55
User Badges:
  • Silver, 250 points or more

1. This is a one-way ACL (just a note, so you don't forget)


2. FTP creates TCP connection on >1023 ports after it agreed everything it needs on 20/21 ports. Therefore there should also be the following line:

permit tcp any host 9.8.7.6 gt 1023


Also, what is the 1.2.3.4 address?


And as well, in NAT there is only one mapping for only port 21. Shouldn't you map ports 20, 80, 443 and >1023 as well?

keithwillson Thu, 11/08/2007 - 07:51
User Badges:

Is this how I would do enter it?


permit tcp any host 216.109.202.50 gt 1023


ip nat inside source static 10.1.0.12 20 216.109.202.50 20

ip nat inside source static 10.1.0.12 80 216.109.202.50 80

ip nat inside source static 10.1.0.12 >1023 216.109.202.50 >1023



Actions

This Discussion