Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > 803 access list for FTP transfers?

Reply
Thread Tools

803 access list for FTP transfers?

 
 
Peter
Guest
Posts: n/a
 
      12-04-2003

Bob { Goddard } <(E-Mail Removed)> wrote

>This is required because passive ftp uses emphemeral ports
>and the only reliable way for this traffic to keep the line
>up is to test for the ACK bit.


I am not using Passive Mode.

>If you want it shorter then modify "dialer idle-timeout <#>" unless
>you already have.


Yes, in fact using a very short timeout, e.g. 10 secs, would have been
a solution to the original external sniffing (or whatever it was)
problem. The downside of that is that with a dynamic IP, your IP keeps
changing through perhaps a single www browsing session...

>> If ** proves to be a real problem (basically if I run over my 120hr
>> Clara monthly time limit due to this) then I will remove the ** line
>> and use a little .htm prog I have which hits www.google.com every 100
>> seconds and run that during any ftp ops

>
>A simple ping could be used as well if you add
>access-list 100 permit icmp any any echo


Oddly enough I can ping www.cisco.com already

>What can I say, except if you can, go ADSL.


I can't - in a village and so far only about 40 people have signed up
for it.

The bizzare thing is that I had no problem with the previous ISP; the
router would hang up perfectly every time...

Thanks Bob for all your help so far... my g/f is looking at a Linksys
54k ADSL->wifi router and is quite horrified at my problems with
router config. But then on ADSL she would never notice... I bet they
come configured wide-open; if they didn't, nobody could handle the
tech support.



Peter.
--
Return address is invalid to help stop junk mail.
E-mail replies to http://www.velocityreviews.com/forums/(E-Mail Removed) but remove the X and the Y.
Please do NOT copy usenet posts to email - it is NOT necessary.
 
Reply With Quote
 
 
 
 
Peter
Guest
Posts: n/a
 
      12-04-2003

More info obtained from RS232-attached terminal:

command: debug dialer packets

shows the following with the PC connected via ethernet (and this did
extend the dialler timeout, as expected):

>23:14:27: Di1 DDR: ip (s=217.158.156.124, d=217.158.170.56), 40 bytes, outgoing interesting (list 100)


Then I UNplugged the ethernet cable from the router and saw this

>23:19:15: BR0 DDR: cdp, 307 bytes, outgoing uninteresting (no dialer-group defined)
>23:19:15: BR0 DDR: sending broadcast to default destination -- failed, not connected
>23:19:15: Di1 DDR: cdp, 305 bytes, outgoing uninteresting (no list matched)
>23:19:15: Di2 DDR: cdp, 305 bytes, outgoing uninteresting (no list matched)
>23:20:15: BR0 DDR: cdp, 307 bytes, outgoing uninteresting (no dialer-group defined)
>23:20:15: BR0 DDR: sending broadcast to default destination -- failed, not connected
>23:20:15: Di1 DDR: cdp, 305 bytes, outgoing uninteresting (no list matched)
>23:20:15: Di2 DDR: cdp, 305 bytes, outgoing uninteresting (no list matched)
>23:21:15: BR0 DDR: cdp, 307 bytes, outgoing uninteresting (no dialer-group defined)
>23:21:15: BR0 DDR: sending broadcast to default destination -- failed, not connected
>23:21:15: Di1 DDR: cdp, 305 bytes, outgoing uninteresting (no list matched)
>23:21:15: Di2 DDR: cdp, 305 bytes, outgoing uninteresting (no list matched)
>23:21:39: Di1 DDR: ip (s=217.158.156.42, d=217.158.117.119), 92 bytes, outgoing uninteresting (list 100)
>23:21:41: Di1 DDR: ip (s=217.158.156.42, d=217.158.132.1), 92 bytes, outgoing uninteresting (list 100)
>23:21:42: Di1 DDR: ip (s=217.158.156.42, d=217.158.132.1), 40 bytes, outgoing interesting (list 100)
>23:21:44: Di1 DDR: ip (s=217.158.156.42, d=217.158.132.1), 40 bytes, outgoing interesting (list 100)
>23:21:49: Di1 DDR: ip (s=217.158.156.42, d=217.158.132.1), 40 bytes, outgoing interesting (list 100)


The last 3 lines reloaded the dialler timeout. What are these 40-byte
packets?


Peter.
--
Return address is invalid to help stop junk mail.
E-mail replies to (E-Mail Removed) but remove the X and the Y.
Please do NOT copy usenet posts to email - it is NOT necessary.
 
Reply With Quote
 
 
 
 
Peter
Guest
Posts: n/a
 
      12-04-2003

Peter <(E-Mail Removed)> wrote

>The last 3 lines reloaded the dialler timeout. What are these 40-byte
>packets?


then I did this:

>c:\>tracert 217.158.156.42
>
>Tracing route to du-069-0551.access.clara.net [217.158.156.42]
>over a maximum of 30 hops:
>
> 1 <10 ms <10 ms <10 ms du-069-0551.access.clara.net [217.158.156.42]
>
>Trace complete.
>
>c:\>tracert 217.158.132.1
>
>Tracing route to du-069-0001.access.clara.net [217.158.132.1]
>over a maximum of 30 hops:
>
> 1 <10 ms <10 ms <10 ms 10.100.101.254
> 2 31 ms 32 ms 47 ms fe-0-0-telee-ishmael.router.clara.net [213.253.16.69]
> 3 * * * Request timed out.
> 4 * * * Request timed out.
> 5 * * * Request timed out.
> 6 * * * Request timed out.
> 7 * * * Request timed out.
> 8 * * * Request timed out.
> 9 * * * Request timed out.
> 10 * * * Request timed out.
> 11 * * * Request timed out.
> 12 * * * Request timed out.
> 13 * * * Request timed out.
> 14 * * ^C
>c:\>ping 217.158.132.1
>
>Pinging 217.158.132.1 with 32 bytes of data:
>
>Request timed out.
>Request timed out.
>Request timed out.
>Request timed out.
>
>Ping statistics for 217.158.132.1:
> Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
>Approximate round trip times in milli-seconds:
> Minimum = 0ms, Maximum = 0ms, Average = 0ms
>
>c:\>




Peter.
--
Return address is invalid to help stop junk mail.
E-mail replies to (E-Mail Removed) but remove the X and the Y.
Please do NOT copy usenet posts to email - it is NOT necessary.
 
Reply With Quote
 
Peter
Guest
Posts: n/a
 
      12-04-2003
Later, the 2nd IP changed to one which could be traced, and the debug
showed

>23:30:23: Di1 DDR: ip (s=217.158.156.42, d=217.158.106.204), 40 bytes, outgoing interesting (list 100)
>23:30:30: Di1 DDR: ip (s=217.158.156.42, d=217.158.106.204), 40 bytes, outgoing interesting (list 100)
>
>c:\>tracert 217.158.106.204
>
>Tracing route to adsl-solo-106-204.claranet.co.uk [217.158.106.204]
>over a maximum of 30 hops:
>
> 1 <10 ms <10 ms <10 ms 10.100.101.254
> 2 31 ms 47 ms 47 ms fe-0-0-telee-ishmael.router.clara.net [213.253.16.69]
> 3 31 ms 47 ms 47 ms ge-1-0-0-telee-tashtego.router.clara.net [213.253.16.66]
> 4 32 ms 46 ms * adsl-1.uk.clara.net [195.8.68.236]
> 5 47 ms 31 ms 47 ms 217.41.128.105
> 6 46 ms 32 ms 47 ms 217.41.128.3
> 7 47 ms 63 ms 62 ms adsl-solo-106-204.claranet.co.uk [217.158.106.204]


so these 40-byte packets are going from Clara to Clara!


Peter.
--
Return address is invalid to help stop junk mail.
E-mail replies to (E-Mail Removed) but remove the X and the Y.
Please do NOT copy usenet posts to email - it is NOT necessary.
 
Reply With Quote
 
Martin Gallagher
Guest
Posts: n/a
 
      12-05-2003
On Thu, 04 Dec 2003 19:33:15 +0000, Peter wrote:

>>23:21:41: Di1 DDR: ip (s=217.158.156.42, d=217.158.132.1), 92 bytes, outgoing uninteresting (list 100)
>>23:21:42: Di1 DDR: ip (s=217.158.156.42, d=217.158.132.1), 40 bytes, outgoing interesting (list 100)
>>23:21:44: Di1 DDR: ip (s=217.158.156.42, d=217.158.132.1), 40 bytes, outgoing interesting (list 100)
>>23:21:49: Di1 DDR: ip (s=217.158.156.42, d=217.158.132.1), 40 bytes, outgoing interesting (list 100)

>
> The last 3 lines reloaded the dialler timeout. What are these 40-byte
> packets?
>


TCP resete perhaps. If the 92 byte packet is a ping response, then
217.158.132.1 might try to connect with tcp and the router sends resets
because it isn't listening.

I thought you could match the tcp flags in an ACL and maybe make resets
uninteresting, but a quick check didn't show me how. Otherwise, block
icmp echo inbound, assuming you haven't already. In which case, I'm
blowing smoke.

--
Rgds,
Martin
 
Reply With Quote
 
Peter
Guest
Posts: n/a
 
      12-05-2003

"Martin Gallagher" <(E-Mail Removed)> wrote:

>Otherwise, block
>icmp echo inbound, assuming you haven't already.


What would be the syntax for that?


Peter.
--
Return address is invalid to help stop junk mail.
E-mail replies to (E-Mail Removed) but remove the X and the Y.
Please do NOT copy usenet posts to email - it is NOT necessary.
 
Reply With Quote
 
Martin Gallagher
Guest
Posts: n/a
 
      12-06-2003
On Fri, 05 Dec 2003 15:02:53 +0000, Peter wrote:

>
> "Martin Gallagher" <(E-Mail Removed)> wrote:
>
>>Otherwise, block
>>icmp echo inbound, assuming you haven't already.

>
> What would be the syntax for that?
>


You need a line in your inbound ACL on the outside interface that says;

access-list <some-number> deny icmp any any echo

See
http://www.cisco.com/en/US/products/...800a5b9a.shtml

--
Regards,
Martin
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Why can't I access ftp://ftp.isc.org/ ? Mike Easter Computer Support 10 03-15-2007 12:28 AM
Net::FTP problems getting files from Windows FTP server, but not Linux FTP Server. D. Buck Perl Misc 2 06-29-2004 02:05 PM
803 access list for FTP transfers? Peter Cisco 0 12-01-2003 07:56 PM
Re: Cisco 803 wont disconnect - frequent pings Peter Cisco 0 09-29-2003 02:25 PM
Re: Cisco 803 ROMMON password Martijn Koopsen Cisco 1 07-22-2003 01:57 AM



Advertisments