Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > How to redirect ftp port for inbound traffic?

Reply
Thread Tools

How to redirect ftp port for inbound traffic?

 
 
thomas
Guest
Posts: n/a
 
      08-21-2006
Hi everybody.
I am a Cisco newbie trying to configure NAT so any inbound ftp trafic gets
redirected to a designated internal hosts.
I thought it should be very simple to do SDM but I can not get it working.
My WAN interface has ISP dynamically assigned IP address.
It is probably the most commaon scenario but I found no example in the SDM
2.3.2 Users's Giude.
Could someone help?
Thank you,
Tomasz


 
Reply With Quote
 
 
 
 
Robert Langdon
Guest
Posts: n/a
 
      08-23-2006
In article <IIcGg.2830$(E-Mail Removed)> ,
"thomas" <(E-Mail Removed)> wrote:

> Hi everybody.
> I am a Cisco newbie trying to configure NAT so any inbound ftp trafic gets
> redirected to a designated internal hosts.
> I thought it should be very simple to do SDM but I can not get it working.
> My WAN interface has ISP dynamically assigned IP address.
> It is probably the most commaon scenario but I found no example in the SDM
> 2.3.2 Users's Giude.
> Could someone help?
> Thank you,
> Tomasz


Hi Tomasz,

I am not dealing with SDM but you can do it easily by the command line:

ip nat inside source static tcp <LAN-IP> 21 interface <Dialer to your
ISP> 21
ip nat inside source static tcp <LAN-IP> 20 interface <Dialer to your
ISP> 20

Cheers,

Robert
 
Reply With Quote
 
 
 
 
thomas
Guest
Posts: n/a
 
      08-29-2006

"Robert Langdon" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> In article <IIcGg.2830$(E-Mail Removed)> ,
> "thomas" <(E-Mail Removed)> wrote:
>
>> Hi everybody.
>> I am a Cisco newbie trying to configure NAT so any inbound ftp trafic
>> gets
>> redirected to a designated internal hosts.
>> I thought it should be very simple to do SDM but I can not get it
>> working.
>> My WAN interface has ISP dynamically assigned IP address.
>> It is probably the most commaon scenario but I found no example in the
>> SDM
>> 2.3.2 Users's Giude.
>> Could someone help?
>> Thank you,
>> Tomasz

>
> Hi Tomasz,
>
> I am not dealing with SDM but you can do it easily by the command line:
>
> ip nat inside source static tcp <LAN-IP> 21 interface <Dialer to your
> ISP> 21
> ip nat inside source static tcp <LAN-IP> 20 interface <Dialer to your
> ISP> 20
>
> Cheers,
>
> Robert


Hi Rob,

Just one more thing: how do I enable ftp on the firewall?
Here is what I have been trying - these are my first two rules:

access-list 102 permit tcp any eq ftp host <int_host_ip> eq ftp
access-list 102 permit tcp any eq ftp-data host <int_host_ip> eq ftp-data

but it does not work. Am I missing something?
Rule 102 is applied to the dialer0 interface: ip access-group 102 in

Tomasz


 
Reply With Quote
 
Igor Mamuzic
Guest
Posts: n/a
 
      08-29-2006
Thomas,

If you want to allow access on your FTP server from the Internet you should
allow traffic on TCP:21 and TCP:20 from any Internet host onto your FTP host
public ip address. This ACL should be applied in your case onto dialer
interface (inbound direction).

Best regards,
Igor



"thomas" <(E-Mail Removed)> wrote in message
news:i6RIg.3690$(E-Mail Removed) ...
>
> "Robert Langdon" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>> In article <IIcGg.2830$(E-Mail Removed)> ,
>> "thomas" <(E-Mail Removed)> wrote:
>>
>>> Hi everybody.
>>> I am a Cisco newbie trying to configure NAT so any inbound ftp trafic
>>> gets
>>> redirected to a designated internal hosts.
>>> I thought it should be very simple to do SDM but I can not get it
>>> working.
>>> My WAN interface has ISP dynamically assigned IP address.
>>> It is probably the most commaon scenario but I found no example in the
>>> SDM
>>> 2.3.2 Users's Giude.
>>> Could someone help?
>>> Thank you,
>>> Tomasz

>>
>> Hi Tomasz,
>>
>> I am not dealing with SDM but you can do it easily by the command line:
>>
>> ip nat inside source static tcp <LAN-IP> 21 interface <Dialer to your
>> ISP> 21
>> ip nat inside source static tcp <LAN-IP> 20 interface <Dialer to your
>> ISP> 20
>>
>> Cheers,
>>
>> Robert

>
> Hi Rob,
>
> Just one more thing: how do I enable ftp on the firewall?
> Here is what I have been trying - these are my first two rules:
>
> access-list 102 permit tcp any eq ftp host <int_host_ip> eq ftp
> access-list 102 permit tcp any eq ftp-data host <int_host_ip> eq ftp-data
>
> but it does not work. Am I missing something?
> Rule 102 is applied to the dialer0 interface: ip access-group 102 in
>
> Tomasz
>



 
Reply With Quote
 
thomas
Guest
Posts: n/a
 
      08-30-2006
Hi Igor,

My configuration, attached below, is as you suggest but it does not work.
Any suggestions?
Please advise.

Tomasz

interface Dialer0
ip access-group 102 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip inspect SDM_MEDIUM out
ip nat outside
ip virtual-reassembly
ip route-cache flow
dialer pool 1
no cdp enable
!
ip nat inside source list 110 interface Dialer0 overload
ip nat inside source static tcp <ftp_host_ip> 21 interface Dialer0 21
ip nat inside source static tcp <ftp_host_ip> 20 interface Dialer0 20
!
access-list 102 permit tcp any eq ftp host <ftp_host_ip> eq ftp
access-list 102 permit tcp any eq ftp-data host <ftp_host_ip> eq ftp-data
access-list 110 permit ip 192.168.2.0 0.0.0.255 any


"Igor Mamuzic" <(E-Mail Removed)> wrote in message
news:ed0rmf$p2g$(E-Mail Removed)...
> Thomas,
>
> If you want to allow access on your FTP server from the Internet you
> should allow traffic on TCP:21 and TCP:20 from any Internet host onto your
> FTP host public ip address. This ACL should be applied in your case onto
> dialer interface (inbound direction).
>
> Best regards,
> Igor
>
>
>
> "thomas" <(E-Mail Removed)> wrote in message
> news:i6RIg.3690$(E-Mail Removed) ...
>>
>> "Robert Langdon" <(E-Mail Removed)> wrote in message
>> news:(E-Mail Removed)...
>>> In article <IIcGg.2830$(E-Mail Removed)> ,
>>> "thomas" <(E-Mail Removed)> wrote:
>>>
>>>> Hi everybody.
>>>> I am a Cisco newbie trying to configure NAT so any inbound ftp trafic
>>>> gets
>>>> redirected to a designated internal hosts.
>>>> I thought it should be very simple to do SDM but I can not get it
>>>> working.
>>>> My WAN interface has ISP dynamically assigned IP address.
>>>> It is probably the most commaon scenario but I found no example in the
>>>> SDM
>>>> 2.3.2 Users's Giude.
>>>> Could someone help?
>>>> Thank you,
>>>> Tomasz
>>>
>>> Hi Tomasz,
>>>
>>> I am not dealing with SDM but you can do it easily by the command line:
>>>
>>> ip nat inside source static tcp <LAN-IP> 21 interface <Dialer to your
>>> ISP> 21
>>> ip nat inside source static tcp <LAN-IP> 20 interface <Dialer to your
>>> ISP> 20
>>>
>>> Cheers,
>>>
>>> Robert

>>
>> Hi Rob,
>>
>> Just one more thing: how do I enable ftp on the firewall?
>> Here is what I have been trying - these are my first two rules:
>>
>> access-list 102 permit tcp any eq ftp host <int_host_ip> eq ftp
>> access-list 102 permit tcp any eq ftp-data host <int_host_ip> eq ftp-data
>>
>> but it does not work. Am I missing something?
>> Rule 102 is applied to the dialer0 interface: ip access-group 102 in
>>
>> Tomasz
>>

>
>



 
Reply With Quote
 
Bod43@hotmail.co.uk
Guest
Posts: n/a
 
      08-30-2006

thomas wrote:
> Hi Igor,
>
> My configuration, attached below, is as you suggest but it does not work.
> Any suggestions?
> Please advise.
>
> Tomasz
>
> interface Dialer0
> ip access-group 102 in
> no ip redirects
> no ip unreachables
> no ip proxy-arp
> ip inspect SDM_MEDIUM out
> ip nat outside
> ip virtual-reassembly
> ip route-cache flow
> dialer pool 1
> no cdp enable
> !
> ip nat inside source list 110 interface Dialer0 overload
> ip nat inside source static tcp <ftp_host_ip> 21 interface Dialer0 21
> ip nat inside source static tcp <ftp_host_ip> 20 interface Dialer0 20
> !
> access-list 102 permit tcp any eq ftp host <ftp_host_ip> eq ftp
> access-list 102 permit tcp any eq ftp-data host <ftp_host_ip> eq ftp-data
> access-list 110 permit ip 192.168.2.0 0.0.0.255 any
>
>
> "Igor Mamuzic" <(E-Mail Removed)> wrote in message
> news:ed0rmf$p2g$(E-Mail Removed)...
> > Thomas,
> >
> > If you want to allow access on your FTP server from the Internet you
> > should allow traffic on TCP:21 and TCP:20 from any Internet host onto your
> > FTP host public ip address. This ACL should be applied in your case onto
> > dialer interface (inbound direction).
> >
> > Best regards,
> > Igor
> >
> >
> >
> > "thomas" <(E-Mail Removed)> wrote in message
> > news:i6RIg.3690$(E-Mail Removed) ...
> >>
> >> "Robert Langdon" <(E-Mail Removed)> wrote in message
> >> news:(E-Mail Removed)...
> >>> In article <IIcGg.2830$(E-Mail Removed)> ,
> >>> "thomas" <(E-Mail Removed)> wrote:
> >>>
> >>>> Hi everybody.
> >>>> I am a Cisco newbie trying to configure NAT so any inbound ftp trafic
> >>>> gets
> >>>> redirected to a designated internal hosts.
> >>>> I thought it should be very simple to do SDM but I can not get it
> >>>> working.
> >>>> My WAN interface has ISP dynamically assigned IP address.
> >>>> It is probably the most commaon scenario but I found no example in the
> >>>> SDM
> >>>> 2.3.2 Users's Giude.
> >>>> Could someone help?
> >>>> Thank you,
> >>>> Tomasz
> >>>
> >>> Hi Tomasz,
> >>>
> >>> I am not dealing with SDM but you can do it easily by the command line:
> >>>
> >>> ip nat inside source static tcp <LAN-IP> 21 interface <Dialer to your
> >>> ISP> 21
> >>> ip nat inside source static tcp <LAN-IP> 20 interface <Dialer to your
> >>> ISP> 20
> >>>
> >>> Cheers,
> >>>
> >>> Robert
> >>
> >> Hi Rob,
> >>
> >> Just one more thing: how do I enable ftp on the firewall?
> >> Here is what I have been trying - these are my first two rules:
> >>
> >> access-list 102 permit tcp any eq ftp host <int_host_ip> eq ftp
> >> access-list 102 permit tcp any eq ftp-data host <int_host_ip> eq ftp-data
> >>
> >> but it does not work. Am I missing something?
> >> Rule 102 is applied to the dialer0 interface: ip access-group 102 in
> >>
> >> Tomasz


access-list 102 permit tcp any host <int_host_ip> eq ftp
access-list 102 permit tcp any host <int_host_ip> eq ftp-data

I guess that this is what you want.

The ftp clients will choose their source ports arbitrarily
and will I believe always be > 1023 so I guess

access-list 102 permit tcp any gt 1023 host <int_host_ip> eq ftp
access-list 102 permit tcp any gt 1023 host <int_host_ip> eq ftp-data

is better?

Note that I think that this will only work with "passive" ftp,
which is mostly what people do nowadays anyway I think.

using inspect inbound MAY allow non-passive (Active?)
ftp to work. Don't know.

 
Reply With Quote
 
thomas
Guest
Posts: n/a
 
      09-02-2006

<(E-Mail Removed)> wrote in message
news:(E-Mail Removed) ups.com...
>
> thomas wrote:
>> Hi Igor,
>>
>> My configuration, attached below, is as you suggest but it does not work.
>> Any suggestions?
>> Please advise.
>>
>> Tomasz
>>
>> interface Dialer0
>> ip access-group 102 in
>> no ip redirects
>> no ip unreachables
>> no ip proxy-arp
>> ip inspect SDM_MEDIUM out
>> ip nat outside
>> ip virtual-reassembly
>> ip route-cache flow
>> dialer pool 1
>> no cdp enable
>> !
>> ip nat inside source list 110 interface Dialer0 overload
>> ip nat inside source static tcp <ftp_host_ip> 21 interface Dialer0 21
>> ip nat inside source static tcp <ftp_host_ip> 20 interface Dialer0 20
>> !
>> access-list 102 permit tcp any eq ftp host <ftp_host_ip> eq ftp
>> access-list 102 permit tcp any eq ftp-data host <ftp_host_ip> eq ftp-data
>> access-list 110 permit ip 192.168.2.0 0.0.0.255 any
>>
>>
>> "Igor Mamuzic" <(E-Mail Removed)> wrote in message
>> news:ed0rmf$p2g$(E-Mail Removed)...
>> > Thomas,
>> >
>> > If you want to allow access on your FTP server from the Internet you
>> > should allow traffic on TCP:21 and TCP:20 from any Internet host onto
>> > your
>> > FTP host public ip address. This ACL should be applied in your case
>> > onto
>> > dialer interface (inbound direction).
>> >
>> > Best regards,
>> > Igor
>> >
>> >
>> >
>> > "thomas" <(E-Mail Removed)> wrote in message
>> > news:i6RIg.3690$(E-Mail Removed) ...
>> >>
>> >> "Robert Langdon" <(E-Mail Removed)> wrote in message
>> >> news:(E-Mail Removed)...
>> >>> In article <IIcGg.2830$(E-Mail Removed)> ,
>> >>> "thomas" <(E-Mail Removed)> wrote:
>> >>>
>> >>>> Hi everybody.
>> >>>> I am a Cisco newbie trying to configure NAT so any inbound ftp
>> >>>> trafic
>> >>>> gets
>> >>>> redirected to a designated internal hosts.
>> >>>> I thought it should be very simple to do SDM but I can not get it
>> >>>> working.
>> >>>> My WAN interface has ISP dynamically assigned IP address.
>> >>>> It is probably the most commaon scenario but I found no example in
>> >>>> the
>> >>>> SDM
>> >>>> 2.3.2 Users's Giude.
>> >>>> Could someone help?
>> >>>> Thank you,
>> >>>> Tomasz
>> >>>
>> >>> Hi Tomasz,
>> >>>
>> >>> I am not dealing with SDM but you can do it easily by the command
>> >>> line:
>> >>>
>> >>> ip nat inside source static tcp <LAN-IP> 21 interface <Dialer to your
>> >>> ISP> 21
>> >>> ip nat inside source static tcp <LAN-IP> 20 interface <Dialer to your
>> >>> ISP> 20
>> >>>
>> >>> Cheers,
>> >>>
>> >>> Robert
>> >>
>> >> Hi Rob,
>> >>
>> >> Just one more thing: how do I enable ftp on the firewall?
>> >> Here is what I have been trying - these are my first two rules:
>> >>
>> >> access-list 102 permit tcp any eq ftp host <int_host_ip> eq ftp
>> >> access-list 102 permit tcp any eq ftp-data host <int_host_ip> eq
>> >> ftp-data
>> >>
>> >> but it does not work. Am I missing something?
>> >> Rule 102 is applied to the dialer0 interface: ip access-group 102 in
>> >>
>> >> Tomasz

>
> access-list 102 permit tcp any host <int_host_ip> eq ftp
> access-list 102 permit tcp any host <int_host_ip> eq ftp-data
>
> I guess that this is what you want.
>
> The ftp clients will choose their source ports arbitrarily
> and will I believe always be > 1023 so I guess
>
> access-list 102 permit tcp any gt 1023 host <int_host_ip> eq ftp
> access-list 102 permit tcp any gt 1023 host <int_host_ip> eq ftp-data
>
> is better?
>
> Note that I think that this will only work with "passive" ftp,
> which is mostly what people do nowadays anyway I think.
>
> using inspect inbound MAY allow non-passive (Active?)
> ftp to work. Don't know.
>


I tried but it did not work.
Thank you,
Tomasz


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Re: How include a large array? Edward A. Falk C Programming 1 04-04-2013 08:07 PM
Redirect to secure FTP site via response.redirect Ron Howard ASP General 2 08-11-2004 07:40 PM
Net::FTP problems getting files from Windows FTP server, but not Linux FTP Server. D. Buck Perl Misc 2 06-29-2004 02:05 PM
Basic Q - Response.Redirect, all redirect to first Response.Redirect statement Sal ASP .Net Web Controls 1 05-15-2004 03:46 PM
PIX 501 - Inbound Port Forwarding/Translation? Paul Hutchings Cisco 6 01-12-2004 07:49 AM



Advertisments