11-21-2007 11:48 AM - edited 03-03-2019 07:38 PM
Hi,
We are not able to download files from an external/public FTP server. The following abreviated config from our Cisco 2621 perimeter router. Any suggestions would be appreciated.
Thanks. Said
memory-size iomem 25
ip inspect max-incomplete high 1100
ip inspect one-minute high 1100
ip inspect name Serial tcp
ip inspect name Serial udp
ip inspect name Serial cuseeme
ip inspect name Serial ftp
ip inspect name Serial h323
ip inspect name Serial rcmd
ip inspect name Serial realaudio
ip inspect name Serial smtp
ip inspect name Serial streamworks
ip inspect name Serial vdolive
ip inspect name Serial sqlnet
ip inspect name Serial tftp
ip audit smtp spam 5
ip audit name -audit info action alarm
ip audit name -audit attack action alarm
interface FastEthernet0/0
ip address
no ip directed-broadcast
ip nat inside
no ip mroute-cache
duplex auto
speed auto
no cdp enable
interface Serial0/1
ip address
no ip directed-broadcast
ip nat inside
service-policy output POLICY1
no cdp enable
interface Async65
ip address
no ip directed-broadcast
ip nat inside
encapsulation ppp
keepalive 10
async mode interactive
ip nat pool NAT netmask
ip nat inside source route-map internet2 pool NAT overload
ip nat inside source static tcp extendable
ip nat inside source static 192.168.1.4
ip classless
ip route 0.0.0.0 0.0.0.0
ip route 10.1.1.0 255.255.255.0 192.168.1.10
ip route 10.5.5.0 255.255.255.0 192.168.1.10
ip route 10.6.6.0 255.255.255.0 192.168.1.10
ip route 10.9.9.0 255.255.255.0 192.168.1.10
ip route 10.9.10.0 255.255.255.0 192.168.1.10
ip route 10.10.10.0 255.255.255.0 192.168.1.10
ip route 10.100.100.0 255.255.255.0 192.168.1.10
ip route 172.16.0.0 255.255.0.0 172.16.2.2
ip route 172.16.1.0 255.255.255.0 172.16.2.2
ip route 172.16.5.0 255.255.255.0 207.213.196.5
ip route 172.16.6.0 255.255.255.0 207.213.196.5
ip route 192.168.0.0 255.255.255.0 192.168.1.10
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 103 permit tcp host host eq telnet
access-list 103 permit tcp host 10.199.249.220 host eq telnet
access-list 103 permit tcp host host eq telnet
access-list 103 permit tcp any host eq smtp log
access-list 103 permit tcp any host eq www
access-list 103 permit tcp any host eq 22 log
access-list 103 permit udp any host eq isakmp log
access-list 103 permit esp any host log
access-list 103 permit tcp any host eq www log
access-list 103 permit tcp any host eq ftp log
access-list 103 permit icmp any any echo-reply log
access-list 103 permit tcp any any established
access-list 103 permit tcp any host eq pop3
access-list 103 permit esp any any
access-list 103 permit udp any eq isakmp any
access-list 103 permit udp any any eq isakmp
access-list 103 permit udp any eq 4500 any
access-list 103 permit tcp any any eq 4500
access-list 103 permit udp any eq domain any
access-list 103 permit ip host xxxxxxxxxxx any
access-list 103 permit ip host xxxxxxxxxxx any
access-list 103 permit ip host xxxxxxxxxxxx any
access-list 103 permit ip 172.16.6.0 0.0.0.255 host
access-list 103 permit ip 172.16.5.0 0.0.0.255 host
access-list 110 permit ip any any
access-list 130 permit ip 192.168.1.0 0.0.0.255 any
access-list 130 permit ip 172.16.0.0 0.0.255.255 any
access-list 150 permit udp any any range 5000 5070
access-list 150 permit udp any range 5000 5070 any
access-list 150 permit udp any any eq 5567
access-list 150 permit udp any eq 5567 any
access-list 150 permit tcp any any eq 5566
access-list 150 permit tcp any eq 5566 any
access-list 150 permit tcp any any eq 5570
access-list 150 permit tcp any eq 5570 any
access-list 150 permit udp any any eq 16384
access-list 150 permit udp any eq 16384 any
access-list 150 permit tcp any any eq 2427
access-list 150 permit tcp any eq 2427 any
access-list 150 permit udp any any eq 4000
access-list 150 permit udp any eq 4000 any
access-list 150 permit udp any any eq 4010
access-list 150 permit udp any eq 4010 any
11-21-2007 11:59 AM
Said
You have hidden so much information that we are not able to identify the problem. For example what you have posted includes 3 extended access lists but no information about how they are applied. If you want us to suggest answers we need sufficient detail to be able to understand what is going on.
HTH
Rick
11-21-2007 12:42 PM
11-21-2007 01:32 PM
Said
There are a couple of things that it might be. I will start with the most obvious and if that is not it, there are some other things to look at. In access list 103 there is a permit for ftp (TCP port 21):
access-list 103 permit tcp any host 2xx.213.196.11 eq ftp log
but there is not a permit for ftp-data (TCP port 20). Try adding a line like this for ftp-data:
access-list 103 permit tcp any host 2xx.213.196.11 eq ftp-data log
Give it a try and let us know if it helps.
HTH
Rick
11-23-2007 11:06 AM
Rick,
Do I have to create new access list with added line to add access-list 103 permit tcp any host 2xx.213.196.11 eq ftp-data log? I remember from CCNA if you change an access list it is no longer valid.
Thanks.
Said
11-23-2007 06:46 PM
Said
In a lot of access lists when you want to add a line to the access list you must remove the access list and rebuild the access list with the line added. In the case of this access list I do not believe that it is necessary.
The issue is that a line that you add to the access list will generally be put at the bottom of the access list. And in many access lists (especially ones that have permit ip any any or deny ip any any) adding a line at the bottom results in the line never matching anything. In the case of this access list I believe that adding the line at the bottom of the access list will still achieve the desired result.
HTH
Rick
11-27-2007 06:36 AM
Rick,
Thanks. The following was added to the access-list.
access-list 103 permit tcp any host 2xx.213.196.11 eq ftp-data log
The client can log to the FTP server, however after initial connection the client gets disconnected. The following is copy from the FTP server's log.
(000002) 11/27/2007 6:24:50 AM - (not logged in) (192.168.1.202)> Connected, sending welcome message...
(000002) 11/27/2007 6:24:50 AM - (not logged in) (192.168.1.202)> 220 Authorized users only are allowed access to this server.
(000002) 11/27/2007 6:25:21 AM - (not logged in) (192.168.1.202)> disconnected.
(000003) 11/27/2007 6:26:21 AM - (not logged in) (192.168.1.202)> Connected, sending welcome message...
(000003) 11/27/2007 6:26:21 AM - (not logged in) (192.168.1.202)> 220 Authorized users only are allowed access to this server.
(000003) 11/27/2007 6:26:52 AM - (not logged in) (192.168.1.202)> disconnected.
11-27-2007 09:27 AM
Said
It looks like the server does not see the login as successful. Your description says that the client can log to the server. Can we be more specific? They get a prompt and they enter their ID and password. What do they get on their screen after they enter the password and press enter? Can we be very specific about what the next message says?
HTH
Rick
11-27-2007 09:36 AM
Rick,
You are right. After reviewing the server's log, the client was not logged on. I ran the wizard on the client's application and got the following message.
"Summary of test results:
Active mode FTP test failed. FileZilla knows the correct external IP address, but your router or firewall has misleadingly modified the sent address.
Please update your firewall and make sure your router is using the latest available firmware. Furthermore, your router has to be configured properly. You will have to use manual port forwarding. Don't run your router in the so called 'DMZ mode' or 'game mode'. Things like protocol inspection or protocol specific 'fixups' have to be disabled.
If this problem stays, please contact your router manufacturer......
11-28-2007 10:55 PM
Rick,
I believe secure FTP servers (SFTP) listen on port 990. Would placing a statement on access-list 103 to open TCP port work? Would the above statement at the end of the Access-list work? Could you share the correct statement needed. Thanks.
Said
11-21-2007 01:40 PM
Said,
The 'data' connection on an FTP session is an inbound connection from the server using TCP source port 20 to a randomly chosen TCP port on the client. Since this is an inbound connection the 'permit tcp any any established' entry does not apply.
I can think of three solutions:
1) Open up all inbound connections from TCP source port 20 (access-list 103 permit tcp any eq 20 any). This is obviously not a good idea.
2) Add 'ip inspect name Serial ftp' and apply 'ip inspect Serial in' to you 'inside' interfaces. This essentially enables the IOS firewall feature set and instructs the router to watch for this ftp data connection. You will probably want remove the 'permit tcp any any established' at that point.
3) Use passive FTP for all external FTP downloads from your clients.
HTH - and someone please correct me if I've spoken incorrectly (I know you will :))
11-27-2007 12:31 PM
HTH,
Why isn't "access-list 103 permit tcp any eq 20 any" a good idea?
Said
11-27-2007 12:41 PM
That will allow any host on the Internet using a TCP source port of 20 unrestricted access into your network.
Jarred
11-27-2007 12:49 PM
Jarred,
The secure FTP is on the "dirty DMZ" with a public IP, connected to the perimeter router. The perimeter routers uses CBAC to filter traffic. How would outside users get access to the LAN?
Said
11-29-2007 08:09 AM
I put in access-list 103 permit tcp any eq 20 any, however the client still can not connect to the server. The above is on the running config, I did not copy it to starting config.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: