Cannot FTP to an Internet Address

Answered Question
May 30th, 2010

Hi Dear,

I do have router in perth that is connecting to headoffice (sydney) through IPSec VPN.

we cannot do anything exepr RDP and browse fileshare on sydney servers from perth.

i need to have ftp access to an specific address (203.107.5.4) which is locating somewhere on Internet.

our perth config is as follow:

Building configuration...

Current configuration : 3665 bytes
!
! No configuration change since last restart
!
version 12.3
no service pad
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
!
hostname HTAUPER
!
boot-start-marker
boot-end-marker
!
memory-size iomem 5
enable secret 5 $1$DbLV$k3z/WP5i9MLEvUlNFdl790
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication ppp default group radius local
aaa authentication ppp vpnauth group radius local
aaa authorization network default group radius local
!
aaa session-id common
!
resource policy
!
clock timezone AWST 8
clock summer-time AWDST recurring last Sun Oct 2:00 last Sun Mar 2:00
ip subnet-zero
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.10.1
!
ip dhcp pool WA-IP-POOL
   network 192.168.10.0 255.255.255.0
   default-router 192.168.10.1
   dns-server 192.168.2.20 192.168.2.21
   netbios-name-server 192.168.2.20 192.168.2.21
!
!
ip cef
no ip domain lookup
ip host HTAUMEL 202.173.157.106
ip host HTAUPER 165.228.162.129
ip host HTAUSYD 139.130.82.30
no ip ips deny-action ips-interface
!
async-bootp dns-server 192.168.2.20 192.168.2.21
async-bootp nbns-server 192.168.2.20 192.168.2.21
no ftp-server write-enable
!
!
username hitachikk privilege 15 password 7 0959400A150046
!
!
!
crypto isakmp policy 1
hash md5
authentication pre-share
group 2
crypto isakmp key htauper0607 address 139.130.82.30
no crypto isakmp ccm
!
!
crypto ipsec transform-set Perth-Transform esp-des esp-md5-hmac
!
crypto map Triforce 10 ipsec-isakmp
set peer 139.130.82.30
set transform-set Perth-Transform
match address 191
reverse-route
!
!
!
interface Loopback0
ip address 192.168.253.251 255.255.255.255
!
interface Ethernet0
description LAN
ip address 192.168.10.1 255.255.255.0
ip helper-address 192.168.2.20
ip helper-address 192.168.2.21
no ip route-cache cef
no ip route-cache
ip tcp adjust-mss 1430
no ip mroute-cache
no keepalive
hold-queue 100 out
!
interface Ethernet2
no ip address
shutdown
hold-queue 100 out
!
interface ATM0
description WestNet DSL Service
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
pvc 8/35
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
!
!
interface FastEthernet1
duplex auto
speed auto
!
interface FastEthernet2
duplex auto
speed auto
!
interface FastEthernet3
duplex auto
speed auto
!
interface FastEthernet4
duplex auto
speed auto
!
interface Dialer0
description PPPOE to Telstra
ip address negotiated
encapsulation ppp
no ip route-cache cef
no ip route-cache
no ip mroute-cache
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname hitach50@direct.telstra.net
ppp chap password 7 13564F4A585456
crypto map Triforce
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
no ip http secure-server
!
!
!
ip access-list standard telnet-clients
permit 202.165.88.13
permit 139.130.82.30
permit 165.228.154.146
permit 165.228.76.109
permit 165.228.245.51
permit 165.228.121.168
permit 58.6.32.219
permit 192.168.10.0 0.0.0.255
permit 192.168.3.0 0.0.0.255
permit 192.168.2.0 0.0.0.255
permit 203.42.131.48 0.0.0.15
permit 203.48.145.120 0.0.0.7
permit 203.53.111.208 0.0.0.15
access-list 191 remark Crypto ACL for Encryption to Sydney
access-list 191 permit ip 192.168.10.0 0.0.0.255 192.168.2.0 0.0.0.255
dialer-list 1 protocol ip permit
snmp-server community htau RO
snmp-server enable traps tty
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
no modem enable
line aux 0
line vty 0 4
access-class telnet-clients in
exec-timeout 0 0
!
scheduler max-task-time 5000
sntp server 129.127.40.3
end

I need to add Access-list/NAT to allow perth subnet (192.168.10.0) to have access to that FTP address (203.107.5.4)without interupption on Ipsec tunnel.

Any advice is much appretiares,

Reza

Correct Answer by Reza Sharifi about 6 years 8 months ago

Hi Reza,

That could be an application issue (FTP server).  Can you check to make sure the server accepting port 20 and 21?

Reza

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Reza Sharifi Sun, 05/30/2010 - 21:07

Hi Reza,

I do not see any NAT statement in your config.  some thing like this:

ip nat inside source list 100 interface Dialer0 overload

I neither don't see any IP NAT inside and IP NAT outside under your interfaces.

interface Ethernet0
description LAN
ip nat inside

interface Dialer0
description PPPOE to Telstra
ip nat outside

BTW, nice name!!!!!!!!

HTH

Reza

reza.rafatifard Sun, 05/30/2010 - 21:22

G'day Mr Reza,

Thanks for your reply,

My current access-list is 191 which only allow 192.168.10.0 (Perth subnet) to communicate to 192.168.2.0 (Sydney Subnet).

can you tell me what access list should i setup to make this happen.

you wrote : io nat inside source list 100 , so i need an access-list 100 to match with that.

I appretiate your advice,

regards,

Reza

Reza Sharifi Sun, 05/30/2010 - 21:44

Hi Reza,

Yes, you do need a NAT statement since you are using a private IP address (192.168.10.0/24) on the inside of your network.  So first under the internal interface issue command "ip nat inside" and under the dialer0 interface issue command "ip nat outside" then issue your NAT statement in the global config mode:

"ip nat inside source list 100 interface dialer0 overload"

then assign an access list for your internal subnet to be permitted:

access-list 100 permit 192.168.10.0 0.0.0.255

Then test your connectivity

HTH

Reza

reza.rafatifard Tue, 06/01/2010 - 17:25

Hi Mate,

All good now, but FTP not working, because FTP server is in Active mode. as far as everything is open from 192.168.10.0 to Any, i dont know why FTP is not working,

I can telnet to 203.171.5.4 21 but not on port 20.

Do you have an idea can can i fix this

Regards,

Reza

Correct Answer
Reza Sharifi Tue, 06/01/2010 - 20:22

Hi Reza,

That could be an application issue (FTP server).  Can you check to make sure the server accepting port 20 and 21?

Reza

Actions

This Discussion