Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Cannot FTP to server behind 837

I have a web and ftp server behing an 837 router.

I have three access-list statements:

access-list 120 permit tcp any host 100.x.x.x eq www

access-list 120 permit tcp any host 10.x.x.x eq ftp-data

access-list 120 permit tcp any host 100.x.x.x eq ftp

When I initiate an FTP session, the client shows it connects, but losts no data and hangs.

Removing both FTP statements above allows the client to connect?

Any ideas?

Thanks,

Kerry

5 REPLIES

Re: Cannot FTP to server behind 837

Is this a typo error, or the existing config?

access-list 120 permit tcp any host 10.x.x.x eq ftp-data

access-list 120 permit tcp any host 100.x.x.x eq ftp

What I meant was the are there 2 different IPs - 10.x.x.x & 100.x.x.x? Opening tcp 20 & 21 should be sufficient to allow incoming ftp access.

Rgds,

AK

Re: Cannot FTP to server behind 837

Hi,

Can you add the following ACE to list 120 and give it a try?

access-list 120 permit tcp any host 10.x.x.x gt 1023

Passive FTP requires the client to use a tcp port gt 1023 requested by the server and you need to open up those ports for successful file transfer.

HTH

Sundar

New Member

Re: Cannot FTP to server behind 837

How about using inspection (stateful firewall)?

Normally it is enabled for outgoing traffic but you can apply it for inbound. Router should monitor the control connection and dynamically open the data ports (both for passive and standard FTP)

sample config

ip inspect name FW tcp

ip inspect name FW udp

ip inspect name FW ftp

access-list 100 permit tcp any host 10.1.1.1 eq 21

int dialer0 (or any outside interface)

ip inspect FW in

ip access-group 100 in

You still need to open the control connection port 21 but only this port as other ports will be dynamically open.

I hope this helps, please let me know

New Member

Re: Cannot FTP to server behind 837

The stateful firewall solution works great!

Thanks.

Is there a way to log/check what traffic is getting through/attempted the firewall?

is enableing syslog the best solution?

New Member

Re: Cannot FTP to server behind 837

That's great!!

Well, it depends on what you want to do. if you just want to see the packets blocked by your firewall, the inbound access-list, you just add the deny ip any any log at the end and log the traffic to syslog server. you will see a lot of traffic like ping sweeps, etc.

But to see if somebody is actually trying to launch the attack you will have to enable IPS (intrusion prevention) and log this info.

But do not expect miracles with the router. with 64 MB RAM, you will be able to apply relatively few attack signatures, you could upgrade it to 128 and it will be much better. you then download sdf file to your flash and use the command

no ip ips sdf builtin (to disable the signatures that come with the IOS)

ip ips sdf location flash:/...

you enable IPS in a simmilar way as you did inspection

ip ips name ips_rule

int dialer1

ip ips ips_rule in

Even if you have only 64 MB of Ram it is still worth doing (you paid for it when you bought the router :).

The sdf file you need to download to your flash then is attack-drop.sdf which contains limited number of signatures optimized for the amount of Ram.

Good luck!

111
Views
0
Helpful
5
Replies
CreatePlease to create content