×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

FTP not working behind firewall

Unanswered Question

I've currently got a Cisco 891 running with a FTP server behind it. All FTP clients running inside the network can use the FTP by going directly to the internal IP of 192.168.12.6. However all outside clients are getting a connection to the server but then dropping. I've got NAT configured to go from external IP on port 990 to internal IP address 192.168.12.6 on port 990. The FTP is listening on port 990. The clients can only run in passive mode.


Below is the version information and current running config.... Any help would be greatly appreciated.... Ignore the NAT going to internal IP 192.168.12.50, it's for another operation.


-



Cisco IOS Software, C890 Software (C890-UNIVERSALK9-M), Version 15.0(1)M6, RELEASE SOFTWARE (fc1)

Technical Support: http://www.cisco.com/techsupport

Copyright (c) 1986-2011 by Cisco Systems, Inc.

Compiled Wed 01-Jun-11 21:24 by prod_rel_team


ROM: System Bootstrap, Version 12.4(22r)YB3, RELEASE SOFTWARE (fc1)


yourname uptime is 6 minutes

System returned to ROM by reload at 11:04:09 PCTime Tue May 22 2012

System restarted at 11:04:35 PCTime Tue May 22 2012

System image file is "flash:c890-universalk9-mz.150-1.M6.bin"

Last reload type: Normal Reload

Last reload reason: Reload Command


-



Building configuration...


Current configuration : 11614 bytes

!

! Last configuration change at 11:09:50 PCTime Tue May 22 2012 by XXXXXXXX

!

version 15.0

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service udp-small-servers

service tcp-small-servers

service sequence-numbers

!

hostname yourname

!

boot-start-marker

boot-end-marker

!

security authentication failure rate 3 log

security passwords min-length 6

logging buffered 51200

logging console critical

enable secret 5

!

!

ip finger

ip tcp synwait-time 10

ip ssh time-out 60

ip ssh authentication-retries 2

!

class-map type inspect match-any ccp-cls-protocol-p2p

match protocol edonkey signature

match protocol gnutella signature

match protocol kazaa2 signature

match protocol fasttrack signature

match protocol bittorrent signature

class-map type inspect match-all sdm-nat-user-protocol--1-1

match access-group 102

match protocol user-protocol--1

class-map type inspect match-any ccp-skinny-inspect

match protocol skinny

class-map type inspect match-any ccp-cls-insp-traffic

match protocol cuseeme

match protocol dns

match protocol ftp

match protocol https

match protocol icmp

match protocol imap

match protocol pop3

match protocol netshow

match protocol shell

match protocol realmedia

match protocol rtsp

match protocol smtp

match protocol sql-net

match protocol streamworks

match protocol tftp

match protocol vdolive

match protocol tcp

match protocol udp

class-map type inspect match-all ccp-insp-traffic

match class-map ccp-cls-insp-traffic

class-map type inspect match-any ccp-h323nxg-inspect

match protocol h323-nxg

class-map type inspect match-any ccp-cls-icmp-access

match protocol icmp

match protocol tcp

match protocol udp

class-map type inspect match-any ccp-cls-protocol-im

match protocol ymsgr yahoo-servers

match protocol msnmsgr msn-servers

match protocol aol aol-servers

class-map type inspect match-any ccp-h225ras-inspect

match protocol h225ras

class-map type inspect match-any ccp-h323annexe-inspect

match protocol h323-annexe

class-map type inspect match-any ccp-h323-inspect

match protocol h323

class-map type inspect match-all ccp-invalid-src

match access-group 100

class-map type inspect match-all ccp-icmp-access

match class-map ccp-cls-icmp-access

class-map type inspect match-any ccp-sip-inspect

match protocol sip

class-map type inspect match-all ccp-protocol-http

match protocol http

class-map type inspect match-all sdm-nat-ftp-1

match access-group 101

match protocol ftps

!

!

policy-map type inspect ccp-permit-icmpreply

class type inspect ccp-icmp-access

inspect

class class-default

pass

policy-map type inspect sdm-pol-NATOutsideToInside-1

class type inspect sdm-nat-ftp-1

inspect

class type inspect sdm-nat-user-protocol--1-1

inspect

class class-default

drop

policy-map type inspect ccp-inspect

class type inspect ccp-invalid-src

drop log

class type inspect ccp-protocol-http

inspect

class type inspect ccp-insp-traffic

inspect

class type inspect ccp-sip-inspect

inspect

class type inspect ccp-h323-inspect

inspect

class type inspect ccp-h323annexe-inspect

inspect

class type inspect ccp-h225ras-inspect

inspect

class type inspect ccp-h323nxg-inspect

inspect

class type inspect ccp-skinny-inspect

inspect

class class-default

drop

policy-map type inspect ccp-permit

class class-default

drop

!

zone security out-zone

zone security in-zone

zone-pair security ccp-zp-out-self source out-zone destination self

service-policy type inspect ccp-permit

zone-pair security ccp-zp-in-out source in-zone destination out-zone

service-policy type inspect ccp-inspect

zone-pair security ccp-zp-self-out source self destination out-zone

service-policy type inspect ccp-permit-icmpreply

zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone

service-policy type inspect sdm-pol-NATOutsideToInside-1

!

!

!

!

!

!

!

interface FastEthernet0

!

!

interface FastEthernet1

!

!

interface FastEthernet2

!

!

interface FastEthernet3

!

!

interface FastEthernet4

!

!

interface FastEthernet5

!

!

interface FastEthernet6

!

!

interface FastEthernet7

!

!

interface FastEthernet8

description $ES_WAN$$ETH-WAN$$FW_OUTSIDE$

ip address X.X.X.X 255.255.255.240

ip mask-reply

ip directed-broadcast

ip flow ingress

ip nat outside

ip virtual-reassembly

zone-member security out-zone

duplex auto

speed auto

!

!

interface GigabitEthernet0

no ip address

ip mask-reply

ip directed-broadcast

ip flow ingress

shutdown

duplex auto

speed auto

!

!

interface wlan-ap0

description Service module interface to manage the embedded AP

ip unnumbered Vlan1

ip mask-reply

ip directed-broadcast

ip flow ingress

arp timeout 0

!

!

interface Wlan-GigabitEthernet0

description Internal switch interface connecting to the embedded AP

!

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-FE 1$$ES_LAN$$FW_INSIDE$

ip address 192.168.12.1 255.255.255.0

ip mask-reply

ip directed-broadcast

ip flow ingress

ip nat inside

ip virtual-reassembly

zone-member security in-zone

ip tcp adjust-mss 1452

!

!

interface Async1

no ip address

ip mask-reply

ip directed-broadcast

encapsulation slip

!

!

ip forward-protocol nd

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

!

ip dns server

ip nat inside source list 1 interface FastEthernet8 overload

ip nat inside source static tcp 192.168.12.50 2080 interface FastEthernet8 2080

ip nat inside source static tcp 192.168.12.6 990 interface FastEthernet8 990

ip route 0.0.0.0 0.0.0.0 209.60.166.193

!

logging trap debugging

access-list 1 remark INSIDE_IF=Vlan1

access-list 1 remark CCP_ACL Category=2

access-list 1 permit 192.168.12.0 0.0.0.255

access-list 100 remark CCP_ACL Category=128

access-list 100 permit ip host 255.255.255.255 any

access-list 100 permit ip 127.0.0.0 0.255.255.255 any

access-list 100 permit ip 192.168.1.0 0.0.0.255 any

access-list 100 permit ip X.X.X.X 0.0.0.15 any

access-list 101 remark CCP_ACL Category=0

access-list 101 permit ip any host 192.168.12.6

access-list 102 remark CCP_ACL Category=0

access-list 102 permit ip any host 192.168.12.50

no cdp run


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Actions

This Discussion