Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
294
Views
0
Helpful
2
Replies

FTP sometimes blocked - login OK but nothing else, reset fixes

Quentin-5
Level 1
Level 1

‎02-02-2004 01:55 PM - edited ‎03-02-2019 01:18 PM

Hey:

I know other people having the same problem, with non-Cisco routers. We have a 2621, running an FTP/email server in a DMZ. Every now and then - sometimes twice a day, sometimes once a week - access gets blocked to the FTP server. Clients can login, but cannot get directory listings or transfer files. Restarting the server doesn't fix it, but restarting the router does. I've read posts regarding something called "fixup ftp" but don't know if it applies to us. Any ideas would be appreciated.

Barry Long

Labels:
0 Helpful
2 Replies 2

lgijssel
Level 9
Level 9

‎02-03-2004 12:44 PM

Hello Barry,

What software do you run on the 2621?

You might have an issue with NAT; you could have a nat pool that is overflowing. If this could be the case depends on how many users and how your NAT is configured. We have too little info to draw conclusions yet. When the issue occurs again, instead of rebooting, try to issue the command: clear ip nat tra *

This clears the nat table. (and kills all sessions) If this also solves the problem, you might have a clue as where to start looking.

Fixup commands are typically for the PIX firewall and the IOS with FW feature set(not sure about that last one). This might not apply to you.

Regards,

Leo

0 Helpful

Quentin-5
Level 1
Level 1
In response to lgijssel

‎02-04-2004 07:44 AM

Leo,

Thanks for looking into this. Here is the Software version info:

Cisco Internetwork Operating System Software

IOS (tm) C2600 Software (C2600-DO3S-M), Version 12.0(5)XK1, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)

TAC:Home:SW:IOS:Specials for info

Copyright (c) 1986-1999 by cisco Systems, Inc.

Compiled Tue 14-Sep-99 15:30 by jjgreen

Image text-base: 0x80008088, data-base: 0x80CE0BDC

ROM: System Bootstrap, Version 11.3(2)XA4, RELEASE SOFTWARE (fc1)

ROM: C2600 Software (C2600-DO3S-M), Version 12.0(5)XK1, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)

Here is the configuration we run (with passwords and IP addresses X'd out) The FTP Server is running in, you guessed it, the appletalk zone called "FTPServer". If you have to have the IP #s to following what's going on, let me know. See the note I inserted about the NAT Pool:

Building configuration...

Current configuration:

!

version 12.0

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname XXXXXXX

!

enable password XXXXXXX

!

!

!

!

!

ip subnet-zero

no ip source-route

ip name-server XXX.XXX.X.X

ip name-server XXX.XXX.X.X

ip name-server XXX.XXX.X.X

!

ip inspect name myfirewall tcp

ip inspect name myfirewall udp

ip inspect name myfirewall http java-list 3 audit-trail on

ip inspect name myfirewall ftp

ip audit notify log

ip audit po max-events 100

appletalk routing

!

!

!

process-max-time 200

!

interface FastEthernet0/0

ip address XXX.XXX.X.X

no ip directed-broadcast

ip nat inside

no ip route-cache

no ip mroute-cache

no keepalive

speed 100

full-duplex

appletalk cable-range 5-5 5.247

appletalk zone graphic

no cdp enable

!

interface Serial0/0

ip address XXX.XXX.X.X

ip access-group 101 in

no ip directed-broadcast

ip nat outside

ip inspect myfirewall in

no ip route-cache

no ip mroute-cache

no cdp enable

!

interface FastEthernet0/1

ip address XXX.XXX.X.X

no ip directed-broadcast

ip nat inside

no ip route-cache

no ip mroute-cache

no keepalive

speed 100

full-duplex

appletalk cable-range 6-6 6.139

appletalk zone FTPServer

no cdp enable

!

interface Ethernet1/0

ip address XXX.XXX.X.X

ip access-group 110 in

no ip directed-broadcast

ip nat inside

no ip route-cache

no ip mroute-cache

no keepalive

no cdp enable

!

*****Below is the NAT Pool info, the following two numbers are the same*********

ip nat pool pool1 XXX.XXX.XXX.6 XXX.XXX.XXX.6 netmask 255.255.255.0

ip nat inside source list 12 pool pool1 overload

ip nat inside source static (IP of FTP Server) XXX.XXX.XXX.5 extendable

ip classless

ip route 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX

no ip http server

!

access-list 3 permit any

access-list 12 permit (IPs for "graphic" zone)

access-list 12 permit (IPs for "FTPServer zone)

access-list 12 permit (IPs for Admininstration LAN)

access-list 101 permit tcp any eq pop3 (IPs for Admin LAN)

access-list 101 permit tcp any eq smtp (IPs for Admin LAN)

access-list 101 permit tcp any eq www (IPs for Admin LAN)

access-list 101 permit tcp any eq 443 (IPs for Admin LAN)

access-list 101 deny ip any (IPs for Admin LAN)

access-list 101 permit udp any any gt 1024

access-list 101 permit tcp any any gt 1024

access-list 101 permit udp any eq domain any

access-list 101 permit udp any any eq domain

access-list 101 permit tcp any any eq domain

access-list 101 permit tcp any any eq telnet

access-list 101 permit tcp any host XXX.XXX.XXX.5 eq smtp

access-list 101 permit tcp any host XXX.XXX.XXX.5 eq ftp

access-list 101 permit tcp any host XXX.XXX.XXX.5 eq ftp-data

access-list 101 permit icmp any any echo-reply

access-list 101 permit tcp any any established

access-list 101 deny ip any any log

access-list 110 permit tcp (IPs for Admin LAN) any eq pop3

access-list 110 permit tcp (IPs for Admin LAN) any eq smtp

access-list 110 permit ip (IPs for Admin LAN) any

access-list 110 permit udp (IPs for Admin LAN) any eq domain

access-list 110 permit icmp any any

access-list 110 deny ip (IPs for Admin LAN) any log

no cdp run

!

line con 0

exec-timeout 0 0

transport input none

line aux 0

line vty 0 4

password XXXXXX

login

Barry

0 Helpful
Customers Also Viewed These Support Documents