12-21-2009 07:53 PM - edited 03-04-2019 07:02 AM
I am having a problem routing ip traffic with port numbers from one LAN to another.
I have two networks 192.168 and 10.100. I can successfully connect to devices from the 192 network to the 10 network and from the 10 network to the 192 network. I am also able to access the internet via a proxy sitting on the 192 network from the 10 network.
My problem is that when I try to connect to an IP using s specific port number (for example FTP). I am unable to connect from the 10 network to an ftp server on the 192 network. I am also unable to connect from the 10 network to an FTP server on the internet.
To complicate matters I am unble to determine the route the ftp traffic is going (from the 1 network). I have plaed wireshark on the 10 network and the 192 network and see the packets leaving the workstatiion but not being ACKnowledged. I also do not see the traffic being received on the 192 network.
I have run several debug commands on the router (for IP packets, access-lists, NAT etc) but do not see this traffic on the router. I enabled IP accounting and still do not see the (FTP) traffic).
I included the config for your review.
Can anyone tell me what other commands (debug or other) I can use on the router to 'find' this traffic so I can determine where it is going soI can resolve the issue?
Thanks,
Kerry
12-21-2009 09:37 PM
in your config you r defining acl 127 and 128 under g0/1/0 but these acl r not defined! r they missing or what?
interface GigabitEthernet0/1/0
Desc 2nd LAN
ip address 10.100.0.1 255.255.128.0
ip access-group 128 in
ip access-group 127 out
no ip redirects
no ip unreachables
no ip proxy-arp
ip accounting output-packets
ip accounting access-violations
ip nat inside
negotiation auto
also we need what is the exact test you made: source ip ? destination ip? tool to make the test (telnet, software,...)
12-23-2009 04:57 AM
As an additional test and to make sure an ACL wasn't stopping traffic I created these two ACLs but did not define them. I did this to pass all traffic.
(creating an ACL that isn't defined will pass ALL traffic).
Also the tests I am using from the 10 network to the 192 network and from the 10 network to the internet are as follows:
1. FTP - ftpzilla - source ip: 10.100.45.32 dest. ip: 192.168.1.5
source ip: 10.100.45.32 dest. ip: ftp.windstream.net
2. iStation test software - source ip 10.100.45.32 dest. ip / port: app2.istation.com / 12500
12-23-2009 07:57 AM
Take all IP access-groups statment's of each interface and try the FTP again. If it still doesn't work source an FTP from the Router interface closest to the FTP Server.
telnet x.x.x.x 21 /source-interface interface
James
01-05-2010 07:44 AM
Removed ACLs from all interfaces,here are the results:
- FTP From 10 network to 192 network - works
- FTP from 10 network to ftp site on internet - does not work
- FTP from router (using 10 as source) to ftp site on 192 - does not work
- FTP from router (using 192 as source) to ftp site on 192 - works
- FTP from router (using 10 as source) to ftp site on internet - does not work
- FTP from router (using 192 as source) to ftp site on internet - does not work
01-05-2010 08:39 AM
Add the 10 network to ACL 10.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: