Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

Send FTP traffic to one interface and rest to another interface

I would like to send FTP traffic over our T1 line and all other traffic over a DSL connection. Our DSL connection is on F0/1 and our T1 is on Vlan1. Nat shows that ftp traffic is translated to the IP on Vlan1 but from there it appears that it doesn't go out as FTP does not work. Web browsing works over F0/1. My config is attached.

show ip nat trans:

tcp x.x.x.70:49513 192.168.1.128:49513 x.x.x.6:80 x.x.x.6:80

tcp x.x.x.34:49752 192.168.1.128:49752 x.x.x.197:21 x.x.x.197:21

udp x.x.x.70:57767 192.168.1.128:57767 x.x.x.122:3544 x.x.x.122:3544

So it is translating, but it stops there. Is there something I need to change with routing?

17 REPLIES

Re: Send FTP traffic to one interface and rest to another interf

i think your issue can be solve with the help of the router maps or you can say policy based routing:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fqos_c/fqcprt1/qcfpbr.htm

rate this post if it helps

regards

Devang

Hall of Fame Super Bronze

Re: Send FTP traffic to one interface and rest to another interf

You need to configure PBR, routing won't do it alone.

access-list 101 permit tcp 192.168.1.0 0.0.0.255 any eq ftp

access-list 101 permit tcp 192.168.1.0 0.0.0.255 any eq ftp-data

route-map ftptraffic permit 10

match ip address 101

set ip next-hop [next hop T1 IP]

interface fa0/0

ip policy ftptraffic

Please rate helpful posts.

Thanks

New Member

Re: Send FTP traffic to one interface and rest to another interf

I tried that and it still does not work. Is the static route (ip route 0.0.0.0 0.0.0.0 FastEthernet0/1) overriding this?

Hall of Fame Super Bronze

Re: Send FTP traffic to one interface and rest to another interf

Can you post the new router config ?

Can you also turn debug against ACL 101 and see if the traffic is matching the route-map.

#debug ip packet 101 detail

In addition, change your NAT routine to a standard NAT and let the PBR I posted do its job. You are performing 2 PBRs.

New Member

Re: Send FTP traffic to one interface and rest to another interf

I attached the new config and the debug information.

Hall of Fame Super Bronze

Re: Send FTP traffic to one interface and rest to another interf

based on the debug and config, this should work, my only suggestion is removing

set interface Vlan1

from the route-map command.

Post Edit:

I'm thinking the NAT is taking place before the PBR, let's do the following

access-list 103 permit tcp any any eq ftp

access-list 103 permit tcp any any eq ftp-data

New Member

Re: Send FTP traffic to one interface and rest to another interf

I tried that and still a no go. Any other ideas?

Hall of Fame Super Bronze

Re: Send FTP traffic to one interface and rest to another interf

Sorry to ask the obvious question but is the T1 actually working ? If you remove the PBR and change the default route to VLAN 1, can you connect to anything ?

Hall of Fame Super Bronze

Re: Send FTP traffic to one interface and rest to another interf

I found some discrepancies in the debug output

1)

IP: s=x.x.x.70 (FastEthernet0/0)

Isn't .70 sourcing from F0/1 ?

2)

d=x.x.x.197 (FastEthernet0/1)

isn't that VLAN 1?

New Member

Re: Send FTP traffic to one interface and rest to another interf

.70 is the IP on F0/1

.197 is the IP of the ftp site being accessed.

The T1 does work if I remove all PBR and have just one NAT statement to the T1 along with changing the static route (0.0.0.0 0.0.0.0) to the T1.

Hall of Fame Super Bronze

Re: Send FTP traffic to one interface and rest to another interf

The debug you posted is not showing this correctly. It's showing .70 is sourcing from Fa0/0 and .197 corresponding to Fa0/1

000127: *Aug 19 16:44:14.487 UTC: IP: tableid=0, s=192.168.1.128 (FastEthernet0/0), d=x.x.x.197 (FastEthernet0/1), routed via FIB

000128: *Aug 19 16:44:14.491 UTC: IP: s=x.x.x.70 (FastEthernet0/0), d=x.x.x.197 (Vlan1), g=x.x.x.33, len 52, forward

000129: *Aug 19 16:44:14.491 UTC: TCP src=50179, dst=21, seq=209448447, ack=0, win=8192 SYN

000130: *Aug 19 16:44:17.399 UTC: IP: tableid=0, s=192.168.1.128 (local), d=x.x.x.197 (FastEthernet0/1), routed via FIB

000131: *Aug 19 16:44:17.399 UTC: IP: s=192.168.1.128 (local), d=x.x.x.197 (FastEthernet0/1), len 40, sending

000132: *Aug 19 16:44:17.399 UTC: TCP src=50177, dst=21, seq=582833431, ack=0, win=0 RST

000133: *Aug 19 16:44:17.483 UTC: IP: tableid=0, s=192.168.1.128 (FastEthernet0/0), d=x.x.x.197 (FastEthernet0/1), routed via FIB

000134: *Aug 19 16:44:17.483 UTC: IP: s=x.x.x.70 (FastEthernet0/0), d=x.x.x.197 (Vlan1), g=x.x.x.33, len 52, forward

000135: *Aug 19 16:44:17.483 UTC: TCP src=50179, dst=21, seq=209448447, ack=0, win=8192 SYN

000136: *Aug 19 16:44:23.483 UTC: IP: tableid=0, s=192.168.1.128 (FastEthernet0/0), d=x.x.x.197 (FastEthernet0/1), routed via FIB

000137: *Aug 19 16:44:23.483 UTC: IP: s=x.x.x.70 (FastEthernet0/0), d=x.x.x.197 (Vlan1), g=x.x.x.33, len 52, forward

000138: *Aug 19 16:44:23.483 UTC: TCP src=50179, dst=21, seq=209448447, ack=0, win=8192 SYN

000139: *Aug 19 16:44:44.487 UTC: IP: tableid=0, s=192.168.1.128 (local), d=x.x.x.197 (FastEthernet0/1), routed via FIB

000140: *Aug 19 16:44:44.487 UTC: IP: s=192.168.1.128 (local), d=x.x.x.197 (FastEthernet0/1), len 40, sending

000141: *Aug 19 16:44:44.487 UTC: TCP src=50179, dst=21, seq=209448448, ack=0, win=0 RST

As you can see, once you try to use port 21, it gets forwarded by the PBR, the rest gets routed via FIB.

The packet is leaving the interface, now the question is the return packet.

Hall of Fame Super Bronze

Re: Send FTP traffic to one interface and rest to another interf

Ah !

What about that ip access-group 151 ?

I don't see you allowing any FTP traffic back in

access-list 151 remark Inbound F0/1

access-list 151 remark SDM_ACL Category=17

access-list 151 permit ip 192.168.7.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 151 permit ip 192.168.250.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 151 permit udp any host x.x.x.70 eq non500-isakmp

access-list 151 permit udp any host x.x.x.70 eq isakmp

access-list 151 permit esp any host x.x.x.70

access-list 151 permit ahp any host x.x.x.70

access-list 151 deny ip 192.168.1.0 0.0.0.255 any

access-list 151 permit udp any eq domain host 66.93.3.70

access-list 151 permit icmp any host x.x.x.70 echo-reply

access-list 151 permit icmp any host x.x.x.70 time-exceeded

access-list 151 deny ip 10.0.0.0 0.255.255.255 any

access-list 151 deny ip 172.16.0.0 0.15.255.255 any

access-list 151 deny ip 192.168.0.0 0.0.255.255 any

access-list 151 deny ip 127.0.0.0 0.255.255.255 any

access-list 151 deny ip host 255.255.255.255 any

access-list 151 deny ip host 0.0.0.0 any

access-list 151 permit icmp any host x.x.x.70 unreachable

access-list 151 deny ip any any log

New Member

Re: Send FTP traffic to one interface and rest to another interf

It isn't showing up in the log as being stopped by ACL 151.

If you email me, I can just send you my exact config (minus passwords) with the debug information so you can see everything without me editing all the IPs and pieces of the config. My email is listed in the posting header.

Hall of Fame Super Bronze

Re: Send FTP traffic to one interface and rest to another interf

Before going into the email exchange, please remove the ip access-group 151, for troubleshooting purposes and reinstate the PBR I posted.

Let me know if it works. If it does, I can look over the ACL better.

You only have a log on the last deny. I believe it's denying the packet before hitting the last entry. Remember, ACLs are read sequentially and yours have denies in the middle. Not an easy flow, there.

New Member

Re: Send FTP traffic to one interface and rest to another interf

Ok I removed ACL 151 and 100 (was on F0/0 in). Still no FTP access.

000126: *Aug 19 19:33:36.679 UTC: IP: tableid=0, s=192.168.1.128 (FastEthernet0/0), d=x.197 (FastEthernet0/1), routed via FIB

000127: *Aug 19 19:33:36.679 UTC: IP: s=x.70 (FastEthernet0/0), d=x.197 (Vlan1), g=x.33, len 52, forward

000128: *Aug 19 19:33:36.679 UTC: TCP src=50576, dst=21, seq=1637206606, ack=0, win=8192 SYN

Hall of Fame Super Bronze

Re: Send FTP traffic to one interface and rest to another interf

Email sent.

Silver

Re: Send FTP traffic to one interface and rest to another interf

Did you try to remove the ACL 151 from VLAN1 ? Or create another ACL for VLAN 1 input only which include below statment :

access-list 152 permit tcp any 192.168.1.0 0.0.0.255 eq ftp

access-list 152 permit tcp any 192.168.1.0 0.0.0.255 eq ftp-data

interface Vlan1

ip access-group 152 in

Hope this helps.

277
Views
14
Helpful
17
Replies
CreatePlease to create content