Velocity Reviews

Velocity Reviews (http://www.velocityreviews.com/forums/index.php)
-   Cisco (http://www.velocityreviews.com/forums/f27-cisco.html)
-   -   How to redirect ftp port for inbound traffic? (http://www.velocityreviews.com/forums/t365589-how-to-redirect-ftp-port-for-inbound-traffic.html)

thomas 08-21-2006 06:50 AM

How to redirect ftp port for inbound traffic?
 
Hi everybody.
I am a Cisco newbie trying to configure NAT so any inbound ftp trafic gets
redirected to a designated internal hosts.
I thought it should be very simple to do SDM but I can not get it working.
My WAN interface has ISP dynamically assigned IP address.
It is probably the most commaon scenario but I found no example in the SDM
2.3.2 Users's Giude.
Could someone help?
Thank you,
Tomasz



Robert Langdon 08-23-2006 03:54 PM

Re: How to redirect ftp port for inbound traffic?
 
In article <IIcGg.2830$q63.2824@newssvr13.news.prodigy.com> ,
"thomas" <tom@tom.com> wrote:

> Hi everybody.
> I am a Cisco newbie trying to configure NAT so any inbound ftp trafic gets
> redirected to a designated internal hosts.
> I thought it should be very simple to do SDM but I can not get it working.
> My WAN interface has ISP dynamically assigned IP address.
> It is probably the most commaon scenario but I found no example in the SDM
> 2.3.2 Users's Giude.
> Could someone help?
> Thank you,
> Tomasz


Hi Tomasz,

I am not dealing with SDM but you can do it easily by the command line:

ip nat inside source static tcp <LAN-IP> 21 interface <Dialer to your
ISP> 21
ip nat inside source static tcp <LAN-IP> 20 interface <Dialer to your
ISP> 20

Cheers,

Robert

thomas 08-29-2006 06:26 AM

Re: How to redirect ftp port for inbound traffic?
 

"Robert Langdon" <anti@material.ch> wrote in message
news:anti-38C2F7.17540223082006@individual.de...
> In article <IIcGg.2830$q63.2824@newssvr13.news.prodigy.com> ,
> "thomas" <tom@tom.com> wrote:
>
>> Hi everybody.
>> I am a Cisco newbie trying to configure NAT so any inbound ftp trafic
>> gets
>> redirected to a designated internal hosts.
>> I thought it should be very simple to do SDM but I can not get it
>> working.
>> My WAN interface has ISP dynamically assigned IP address.
>> It is probably the most commaon scenario but I found no example in the
>> SDM
>> 2.3.2 Users's Giude.
>> Could someone help?
>> Thank you,
>> Tomasz

>
> Hi Tomasz,
>
> I am not dealing with SDM but you can do it easily by the command line:
>
> ip nat inside source static tcp <LAN-IP> 21 interface <Dialer to your
> ISP> 21
> ip nat inside source static tcp <LAN-IP> 20 interface <Dialer to your
> ISP> 20
>
> Cheers,
>
> Robert


Hi Rob,

Just one more thing: how do I enable ftp on the firewall?
Here is what I have been trying - these are my first two rules:

access-list 102 permit tcp any eq ftp host <int_host_ip> eq ftp
access-list 102 permit tcp any eq ftp-data host <int_host_ip> eq ftp-data

but it does not work. Am I missing something?
Rule 102 is applied to the dialer0 interface: ip access-group 102 in

Tomasz



Igor Mamuzic 08-29-2006 07:56 AM

Re: How to redirect ftp port for inbound traffic?
 
Thomas,

If you want to allow access on your FTP server from the Internet you should
allow traffic on TCP:21 and TCP:20 from any Internet host onto your FTP host
public ip address. This ACL should be applied in your case onto dialer
interface (inbound direction).

Best regards,
Igor



"thomas" <tom@tom.com> wrote in message
news:i6RIg.3690$tU.1945@newssvr21.news.prodigy.com ...
>
> "Robert Langdon" <anti@material.ch> wrote in message
> news:anti-38C2F7.17540223082006@individual.de...
>> In article <IIcGg.2830$q63.2824@newssvr13.news.prodigy.com> ,
>> "thomas" <tom@tom.com> wrote:
>>
>>> Hi everybody.
>>> I am a Cisco newbie trying to configure NAT so any inbound ftp trafic
>>> gets
>>> redirected to a designated internal hosts.
>>> I thought it should be very simple to do SDM but I can not get it
>>> working.
>>> My WAN interface has ISP dynamically assigned IP address.
>>> It is probably the most commaon scenario but I found no example in the
>>> SDM
>>> 2.3.2 Users's Giude.
>>> Could someone help?
>>> Thank you,
>>> Tomasz

>>
>> Hi Tomasz,
>>
>> I am not dealing with SDM but you can do it easily by the command line:
>>
>> ip nat inside source static tcp <LAN-IP> 21 interface <Dialer to your
>> ISP> 21
>> ip nat inside source static tcp <LAN-IP> 20 interface <Dialer to your
>> ISP> 20
>>
>> Cheers,
>>
>> Robert

>
> Hi Rob,
>
> Just one more thing: how do I enable ftp on the firewall?
> Here is what I have been trying - these are my first two rules:
>
> access-list 102 permit tcp any eq ftp host <int_host_ip> eq ftp
> access-list 102 permit tcp any eq ftp-data host <int_host_ip> eq ftp-data
>
> but it does not work. Am I missing something?
> Rule 102 is applied to the dialer0 interface: ip access-group 102 in
>
> Tomasz
>




thomas 08-30-2006 02:01 AM

Re: How to redirect ftp port for inbound traffic?
 
Hi Igor,

My configuration, attached below, is as you suggest but it does not work.
Any suggestions?
Please advise.

Tomasz

interface Dialer0
ip access-group 102 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip inspect SDM_MEDIUM out
ip nat outside
ip virtual-reassembly
ip route-cache flow
dialer pool 1
no cdp enable
!
ip nat inside source list 110 interface Dialer0 overload
ip nat inside source static tcp <ftp_host_ip> 21 interface Dialer0 21
ip nat inside source static tcp <ftp_host_ip> 20 interface Dialer0 20
!
access-list 102 permit tcp any eq ftp host <ftp_host_ip> eq ftp
access-list 102 permit tcp any eq ftp-data host <ftp_host_ip> eq ftp-data
access-list 110 permit ip 192.168.2.0 0.0.0.255 any


"Igor Mamuzic" <someone@someone.com> wrote in message
news:ed0rmf$p2g$1@magcargo.vodatel.hr...
> Thomas,
>
> If you want to allow access on your FTP server from the Internet you
> should allow traffic on TCP:21 and TCP:20 from any Internet host onto your
> FTP host public ip address. This ACL should be applied in your case onto
> dialer interface (inbound direction).
>
> Best regards,
> Igor
>
>
>
> "thomas" <tom@tom.com> wrote in message
> news:i6RIg.3690$tU.1945@newssvr21.news.prodigy.com ...
>>
>> "Robert Langdon" <anti@material.ch> wrote in message
>> news:anti-38C2F7.17540223082006@individual.de...
>>> In article <IIcGg.2830$q63.2824@newssvr13.news.prodigy.com> ,
>>> "thomas" <tom@tom.com> wrote:
>>>
>>>> Hi everybody.
>>>> I am a Cisco newbie trying to configure NAT so any inbound ftp trafic
>>>> gets
>>>> redirected to a designated internal hosts.
>>>> I thought it should be very simple to do SDM but I can not get it
>>>> working.
>>>> My WAN interface has ISP dynamically assigned IP address.
>>>> It is probably the most commaon scenario but I found no example in the
>>>> SDM
>>>> 2.3.2 Users's Giude.
>>>> Could someone help?
>>>> Thank you,
>>>> Tomasz
>>>
>>> Hi Tomasz,
>>>
>>> I am not dealing with SDM but you can do it easily by the command line:
>>>
>>> ip nat inside source static tcp <LAN-IP> 21 interface <Dialer to your
>>> ISP> 21
>>> ip nat inside source static tcp <LAN-IP> 20 interface <Dialer to your
>>> ISP> 20
>>>
>>> Cheers,
>>>
>>> Robert

>>
>> Hi Rob,
>>
>> Just one more thing: how do I enable ftp on the firewall?
>> Here is what I have been trying - these are my first two rules:
>>
>> access-list 102 permit tcp any eq ftp host <int_host_ip> eq ftp
>> access-list 102 permit tcp any eq ftp-data host <int_host_ip> eq ftp-data
>>
>> but it does not work. Am I missing something?
>> Rule 102 is applied to the dialer0 interface: ip access-group 102 in
>>
>> Tomasz
>>

>
>




Bod43@hotmail.co.uk 08-30-2006 06:04 AM

Re: How to redirect ftp port for inbound traffic?
 

thomas wrote:
> Hi Igor,
>
> My configuration, attached below, is as you suggest but it does not work.
> Any suggestions?
> Please advise.
>
> Tomasz
>
> interface Dialer0
> ip access-group 102 in
> no ip redirects
> no ip unreachables
> no ip proxy-arp
> ip inspect SDM_MEDIUM out
> ip nat outside
> ip virtual-reassembly
> ip route-cache flow
> dialer pool 1
> no cdp enable
> !
> ip nat inside source list 110 interface Dialer0 overload
> ip nat inside source static tcp <ftp_host_ip> 21 interface Dialer0 21
> ip nat inside source static tcp <ftp_host_ip> 20 interface Dialer0 20
> !
> access-list 102 permit tcp any eq ftp host <ftp_host_ip> eq ftp
> access-list 102 permit tcp any eq ftp-data host <ftp_host_ip> eq ftp-data
> access-list 110 permit ip 192.168.2.0 0.0.0.255 any
>
>
> "Igor Mamuzic" <someone@someone.com> wrote in message
> news:ed0rmf$p2g$1@magcargo.vodatel.hr...
> > Thomas,
> >
> > If you want to allow access on your FTP server from the Internet you
> > should allow traffic on TCP:21 and TCP:20 from any Internet host onto your
> > FTP host public ip address. This ACL should be applied in your case onto
> > dialer interface (inbound direction).
> >
> > Best regards,
> > Igor
> >
> >
> >
> > "thomas" <tom@tom.com> wrote in message
> > news:i6RIg.3690$tU.1945@newssvr21.news.prodigy.com ...
> >>
> >> "Robert Langdon" <anti@material.ch> wrote in message
> >> news:anti-38C2F7.17540223082006@individual.de...
> >>> In article <IIcGg.2830$q63.2824@newssvr13.news.prodigy.com> ,
> >>> "thomas" <tom@tom.com> wrote:
> >>>
> >>>> Hi everybody.
> >>>> I am a Cisco newbie trying to configure NAT so any inbound ftp trafic
> >>>> gets
> >>>> redirected to a designated internal hosts.
> >>>> I thought it should be very simple to do SDM but I can not get it
> >>>> working.
> >>>> My WAN interface has ISP dynamically assigned IP address.
> >>>> It is probably the most commaon scenario but I found no example in the
> >>>> SDM
> >>>> 2.3.2 Users's Giude.
> >>>> Could someone help?
> >>>> Thank you,
> >>>> Tomasz
> >>>
> >>> Hi Tomasz,
> >>>
> >>> I am not dealing with SDM but you can do it easily by the command line:
> >>>
> >>> ip nat inside source static tcp <LAN-IP> 21 interface <Dialer to your
> >>> ISP> 21
> >>> ip nat inside source static tcp <LAN-IP> 20 interface <Dialer to your
> >>> ISP> 20
> >>>
> >>> Cheers,
> >>>
> >>> Robert
> >>
> >> Hi Rob,
> >>
> >> Just one more thing: how do I enable ftp on the firewall?
> >> Here is what I have been trying - these are my first two rules:
> >>
> >> access-list 102 permit tcp any eq ftp host <int_host_ip> eq ftp
> >> access-list 102 permit tcp any eq ftp-data host <int_host_ip> eq ftp-data
> >>
> >> but it does not work. Am I missing something?
> >> Rule 102 is applied to the dialer0 interface: ip access-group 102 in
> >>
> >> Tomasz


access-list 102 permit tcp any host <int_host_ip> eq ftp
access-list 102 permit tcp any host <int_host_ip> eq ftp-data

I guess that this is what you want.

The ftp clients will choose their source ports arbitrarily
and will I believe always be > 1023 so I guess

access-list 102 permit tcp any gt 1023 host <int_host_ip> eq ftp
access-list 102 permit tcp any gt 1023 host <int_host_ip> eq ftp-data

is better?

Note that I think that this will only work with "passive" ftp,
which is mostly what people do nowadays anyway I think.

using inspect inbound MAY allow non-passive (Active?)
ftp to work. Don't know.


thomas 09-02-2006 09:26 PM

Re: How to redirect ftp port for inbound traffic?
 

<Bod43@hotmail.co.uk> wrote in message
news:1156917858.663072.99170@i42g2000cwa.googlegro ups.com...
>
> thomas wrote:
>> Hi Igor,
>>
>> My configuration, attached below, is as you suggest but it does not work.
>> Any suggestions?
>> Please advise.
>>
>> Tomasz
>>
>> interface Dialer0
>> ip access-group 102 in
>> no ip redirects
>> no ip unreachables
>> no ip proxy-arp
>> ip inspect SDM_MEDIUM out
>> ip nat outside
>> ip virtual-reassembly
>> ip route-cache flow
>> dialer pool 1
>> no cdp enable
>> !
>> ip nat inside source list 110 interface Dialer0 overload
>> ip nat inside source static tcp <ftp_host_ip> 21 interface Dialer0 21
>> ip nat inside source static tcp <ftp_host_ip> 20 interface Dialer0 20
>> !
>> access-list 102 permit tcp any eq ftp host <ftp_host_ip> eq ftp
>> access-list 102 permit tcp any eq ftp-data host <ftp_host_ip> eq ftp-data
>> access-list 110 permit ip 192.168.2.0 0.0.0.255 any
>>
>>
>> "Igor Mamuzic" <someone@someone.com> wrote in message
>> news:ed0rmf$p2g$1@magcargo.vodatel.hr...
>> > Thomas,
>> >
>> > If you want to allow access on your FTP server from the Internet you
>> > should allow traffic on TCP:21 and TCP:20 from any Internet host onto
>> > your
>> > FTP host public ip address. This ACL should be applied in your case
>> > onto
>> > dialer interface (inbound direction).
>> >
>> > Best regards,
>> > Igor
>> >
>> >
>> >
>> > "thomas" <tom@tom.com> wrote in message
>> > news:i6RIg.3690$tU.1945@newssvr21.news.prodigy.com ...
>> >>
>> >> "Robert Langdon" <anti@material.ch> wrote in message
>> >> news:anti-38C2F7.17540223082006@individual.de...
>> >>> In article <IIcGg.2830$q63.2824@newssvr13.news.prodigy.com> ,
>> >>> "thomas" <tom@tom.com> wrote:
>> >>>
>> >>>> Hi everybody.
>> >>>> I am a Cisco newbie trying to configure NAT so any inbound ftp
>> >>>> trafic
>> >>>> gets
>> >>>> redirected to a designated internal hosts.
>> >>>> I thought it should be very simple to do SDM but I can not get it
>> >>>> working.
>> >>>> My WAN interface has ISP dynamically assigned IP address.
>> >>>> It is probably the most commaon scenario but I found no example in
>> >>>> the
>> >>>> SDM
>> >>>> 2.3.2 Users's Giude.
>> >>>> Could someone help?
>> >>>> Thank you,
>> >>>> Tomasz
>> >>>
>> >>> Hi Tomasz,
>> >>>
>> >>> I am not dealing with SDM but you can do it easily by the command
>> >>> line:
>> >>>
>> >>> ip nat inside source static tcp <LAN-IP> 21 interface <Dialer to your
>> >>> ISP> 21
>> >>> ip nat inside source static tcp <LAN-IP> 20 interface <Dialer to your
>> >>> ISP> 20
>> >>>
>> >>> Cheers,
>> >>>
>> >>> Robert
>> >>
>> >> Hi Rob,
>> >>
>> >> Just one more thing: how do I enable ftp on the firewall?
>> >> Here is what I have been trying - these are my first two rules:
>> >>
>> >> access-list 102 permit tcp any eq ftp host <int_host_ip> eq ftp
>> >> access-list 102 permit tcp any eq ftp-data host <int_host_ip> eq
>> >> ftp-data
>> >>
>> >> but it does not work. Am I missing something?
>> >> Rule 102 is applied to the dialer0 interface: ip access-group 102 in
>> >>
>> >> Tomasz

>
> access-list 102 permit tcp any host <int_host_ip> eq ftp
> access-list 102 permit tcp any host <int_host_ip> eq ftp-data
>
> I guess that this is what you want.
>
> The ftp clients will choose their source ports arbitrarily
> and will I believe always be > 1023 so I guess
>
> access-list 102 permit tcp any gt 1023 host <int_host_ip> eq ftp
> access-list 102 permit tcp any gt 1023 host <int_host_ip> eq ftp-data
>
> is better?
>
> Note that I think that this will only work with "passive" ftp,
> which is mostly what people do nowadays anyway I think.
>
> using inspect inbound MAY allow non-passive (Active?)
> ftp to work. Don't know.
>


I tried but it did not work.
Thank you,
Tomasz




All times are GMT. The time now is 08:35 PM.

Powered by vBulletin®. Copyright ©2000 - 2014, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.