cisco 2600 ftp config

[yourname]

I am messing around at work trying to set up a ftp server behind a cisco 2600 i have set the static port forwarding
ip nat inside source static tcp 10.1.1.31 21 interface Dialer1 21
but ftp programs try to make a second connection to a super high port such as 40*** i have looked all over the web and do not have the documentation for the router can anyone help me out with a config i could use to enable complete ftp forwarding.

thank you

//yourname here

[thehorse13]

Without giving you the answer, I'd take a look at active and passive FTP rule setups on the Cisco page. You are missing a few things based on the rule you posted. If you still can't figure it out, I'll give you the answer.

This is a very basic setup and you should be able to nail it down with minimal effort.

--TH13

[yourname]

ok active ftp is when the client makes a request to open up a second port to send data such as LIST command whiel PASV requests that the the server opens up a secondary port i was trying to set nat staic routes but i coudnt find an option that would allow me to set a range f ports to forward. i stole someones ccie book and took out my static nat routes and added a couple extedned acl's

access-list 102 permit tcp any eq ftp host 10.1.1.31 gt 1023 established
access-list 102 permit tcp any eq ftp-data host 10.1.1.31 gt 1023

(10.1.1.31) being my internal box with the server on it)

It did not work however (i dount connect initally to the box anymore) and i think it stems from my lack of understanding of routing =( i have and inc connection on Dialer1 and then running it though nat and out through FastEthernet 0/0 .. w/o my static routes i readded
ip nat inside source static tcp 10.1.1.31 21 int Dialer 1 14001
and i was able to connect intially again but not luck with PASV(just hangs on LIST command) and active gives me illegal port error any more leads to help me out ?? thanks alot

[mmelby]

I don't have it in front of me but if I remember correctly there is a fixup statement you also need to add. It should be in the support area of the CISCO site.

[gunit0072003]

yourname

What are you exactly trying to accomplish?

Do you have many servers running on the inside/private LAN that
all need to share that one public IP..If not why bother with port forwarding,
Just do a static one to one NAT and add ACL to permit source/s you define..
You can define it as granular as you like.

Also just curious, are you using the asynch interface on cisco router as the
outside interface?

[yourname]

ok i have one box in the internal network that i want to set up as a ftp server. I am using the ciso router to take in one connection and am running nat on it. I really don't know what I'm doing that well but thats why I'm doing it. i was able to set the static nat route fine but could not figure out how to allow open port connections to be made by the internal ftp (PASV) as to allow a data connection to a box outside

[Outside Line]
|
|
[Cisco 2600]
|
|
((private Ip's))
|
|
[Ftp server (10.1.1.31)]

no im not using an async int
thanks

[gunit0072003]

yourname,

Assume your outside interface on cisco 2600 is "x"

If I understand you correctly, you want to allow any source from outside destined for "IP x and application FTP" to be forwarded to 10.1.1.31..


Cisco calls this : "Static translations with ports"
The syntax is:
ip nat inside source static { tcp | udp } <localaddr> <localport> <globaladdr> <globalport>

See Link for more info...
http://www.cisco.com/en/US/tech/tk64...80091cb9.shtml
(scroll half way down the page for explanation)

Good luck

[yourname]

I have no problem setting static routes i use it for ssh http etc. ftp requires( at least to the best of my knowledge) 1 por fo the connection then either the client or the server requests for a secondary data port to sendcommands over (such as LIST) depending on on if your PASV or active ftp types. I can connect to my ftp server and login but cannot send LIST commands and such(using PASV mode)I need to get that second data port open when the server sends the secondary port request through.

[gunit0072003]

Do you know if you are using passive or active FTP.
I think one way you can do this is by incorporating route map statements with NAT.
Here you can define as many access-list statements as you like depending on flavor of FTP..

Here'sa good link describing difference between active and passive FTP to help you define ACL statements..
http://slacksite.com/other/ftp.html#active

Good Luck,

P.S
If I had a router in front of me, I could of wipped it out and tested it for you,....Its been a while..

[yourname]

/cry

ok i could not figure out how to configure my router so i cheated and restricted the high range ports(used for PASV) on the unix box the ftp site is on.
i did
#sysctl net.inet.ip.portrange.first=49000
#sysctl net.inet.ip.portrange.last=49005

then i set ftpd in the inetd.conf to use the -U command(i have no problem ftping from inside my network)
then i set all 6 ports to forward to the unix box but it sill hangs on the LIST command here is my run config for the cisco also just incase im doing somehting stupid there also


NOTE: the "*" are put there by me.

Current configuration : 3384 bytes
!
version 12.3
service tcp-keepalives-in
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname cisco-bitch
!
enable password *
!
memory-size iomem 10
ip subnet-zero
ip cef
!
!
no ip domain lookup
ip name-server *
ip name-server *
ip dhcp excluded-address 10.1.1.1
!
ip dhcp pool intranet
network 10.1.1.0 255.255.255.0
default-router 10.1.1.1
dns-server *
!
ip multicast-routing
ip inspect name FW tcp
ip inspect name FW udp
ip inspect name FW h323
ip inspect name FW rcmd
ip inspect name FW realaudio
ip inspect name FW netshow
ip inspect name FW icmp
ip inspect name FW smtp
ip inspect name FW sqlnet
ip inspect name FW tftp
ip inspect name FW http
ip inspect name FW fragment maximum 256 timeout 1
ip inspect name FW vdolive
ip inspect name FW cuseeme
ip inspect name FW streamworks
ip inspect name FW sip
ip audit notify log
ip audit po max-events 100
vpdn enable
!
vpdn-group 1
!
vpdn-group ppoe
!
vpdn-group pppoe
request-dialin
protocol pptp
!
!
!
!
!
!
!
!
!
!
no voice hpi capture buffer
no voice hpi capture destination
!
!
!
!
!
!
interface FastEthernet0/0
ip address 10.1.1.1 255.255.255.0
ip nat inside
ip pim sparse-mode
ip tcp adjust-mss 1290
ip igmp version 3
duplex auto
speed auto
!
interface Serial0/0
no ip address
shutdown
no fair-queue
!
interface FastEthernet0/1
no ip address
ip tcp adjust-mss 1290
duplex auto
speed auto
pppoe enable
pppoe-client dial-pool-number 1
!
interface Serial0/1
no ip address
shutdown
!
interface Ethernet1/0
no ip address
shutdown
half-duplex
!
interface Ethernet1/1
no ip address
ip nat inside
ip tcp adjust-mss 1000
shutdown
half-duplex
!
interface Ethernet1/2
no ip address
shutdown
half-duplex
!
interface Ethernet1/3
no ip address
shutdown
half-duplex
!
interface Dialer1
ip address negotiated
ip nat outside
encapsulation ppp
dialer pool 1
dialer-group 1
down-when-looped
priority-group 5
ppp authentication chap callin
ppp chap hostname *
ppp chap password 0 *
ppp pap sent-username * password 0 *
!
ip nat inside source list 1 interface Dialer1 overload
ip nat inside source static tcp 10.1.1.31 49005 interface Dialer1 49005
ip nat inside source static tcp 10.1.1.31 49004 interface Dialer1 49004
ip nat inside source static tcp 10.1.1.31 49003 interface Dialer1 49003
ip nat inside source static tcp 10.1.1.31 49002 interface Dialer1 49002
ip nat inside source static tcp 10.1.1.31 49001 interface Dialer1 49001
ip nat inside source static tcp 10.1.1.31 49000 interface Dialer1 49000
ip nat inside source static tcp 10.1.1.31 21 interface Dialer1 14001
ip nat inside source static tcp 10.1.1.14 80 interface Dialer1 80
ip nat inside source static tcp 10.1.1.31 22 interface Dialer1 14000
no ip http server
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 0.0.0.0 0.0.0.0 Null0 255
!
ip pim rp-candidate FastEthernet0/0
!
access-list 1 permit 10.1.2.0 0.0.0.255
access-list 1 permit 10.1.3.0 0.0.0.255
access-list 1 permit 10.1.4.0 0.0.0.255
access-list 1 permit 10.1.5.0 0.0.0.255
access-list 1 permit 10.1.6.0 0.0.0.255
access-list 1 permit 10.1.1.0 0.0.0.255
priority-list 1 protocol ip high tcp www
!
!
!
dial-peer cor custom
!
!
!
!
line con 0
line aux 0
line vty 0 4
login
transport input none
!
!
!
end

Thanks alot

//yourname here