Any chance for passive FTP with this config?

Discussion in 'Cisco' started by Matthias Fischer, Jan 31, 2004.

  1. Hi Group!

    Ok, I know - this question has been asked a hundred times - I googled
    and found more than I could handle...

    But perhaps someone had *the idea* and something has changed...

    Here's a running-config for (simple) internet access - for my private
    home network - through a Cisco 1003. Since I was a total Newbie with
    Cisco's IOS, I made a few mistakes at the beginning, right now it seems
    to be ok.

    1. Could someone please take a look and tell me if there is anything I
    could optimize...?
    2. Is there *any chance* to get at least *passive ftp* working with this
    config, without changing too much? Every posting or article I found
    ended with the conclusion (more or less) that I would had to "open
    things up" more that I would like to...
    If it ends with "leave it that way, forget ftp" its ok, I'm just asking
    if there is anything I didn't mention and could have done better.

    **********SNIP**********
    version 12.1
    no service single-slot-reload-enable
    no service pad
    service timestamps debug uptime
    service timestamps log uptime
    service password-encryption
    service hide-telnet-addresses
    !
    hostname Cisco1003
    !
    enable secret <deleted>
    !
    ip subnet-zero
    no ip source-route
    no ip domain-lookup
    !
    no ip bootp server
    isdn switch-type basic-net3
    !
    interface Ethernet0
    description connected to EthernetLAN
    ip address 192.168.100.254 255.255.255.0
    ip access-group 12 in
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat inside
    !
    interface BRI0
    description connected to ISP
    no ip address
    ip nat outside
    encapsulation ppp
    dialer rotary-group 1
    isdn switch-type basic-net3
    no cdp enable
    !
    interface Dialer1
    description connected to ISP
    ip address negotiated
    ip access-group filterin in
    ip access-group filterout out
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat outside
    encapsulation ppp
    no ip split-horizon
    dialer in-band
    dialer idle-timeout 59
    dialer string 123456
    dialer hold-queue 10
    load-interval 600
    dialer load-threshold 220 either
    dialer-group 1
    no cdp enable
    ppp authentication chap pap callin
    ppp chap hostname
    ppp chap password <deleted>
    ppp pap sent-username password <deleted>
    ppp multilink
    !
    router rip
    version 2
    passive-interface Dialer1
    network 192.168.100.0
    no auto-summary
    !
    ip nat inside source list 1 interface Dialer1 overload
    no ip classless
    ip route 0.0.0.0 0.0.0.0 Dialer1
    no ip http server
    !
    !
    ip access-list extended filterin
    deny ip 192.168.100.0 0.0.0.255 any
    deny ip 10.0.0.0 0.255.255.255 any
    deny ip 127.0.0.0 0.255.255.255 any
    deny ip 169.254.0.0 0.0.255.255 any
    deny ip 172.16.0.0 0.15.255.255 any
    deny ip 192.168.0.0 0.0.255.255 any
    deny ip 192.0.2.0 0.0.0.255 any
    deny ip 224.0.0.0 15.255.255.255 any
    deny ip 224.0.0.0 31.255.255.255 any
    deny ip 0.0.0.0 0.255.255.255 any
    deny ip host 0.0.0.0 any
    deny icmp any any redirect
    permit icmp any any
    evaluate packets
    ip access-list extended filterout
    ! 20 deactivated...
    permit tcp any any eq 21 reflect packets
    permit tcp any any eq 22 reflect packets
    permit tcp any any eq smtp reflect packets
    permit tcp any any eq domain reflect packets
    permit tcp any any eq www reflect packets
    permit tcp any any eq pop3 reflect packets
    permit tcp any any eq nntp reflect packets
    permit tcp any any eq 143 reflect packets
    permit tcp any any eq 443 reflect packets
    permit udp any any eq domain reflect packets
    deny icmp any any time-exceeded
    permit icmp any any reflect packets
    evaluate packets
    access-list 1 permit 192.168.100.0 0.0.0.255
    ! some hosts I have to block
    access-list 12 deny 192.168.100.4
    access-list 12 deny 192.168.100.5
    access-list 12 deny 192.168.100.6
    access-list 12 permit 192.168.100.0 0.0.0.255
    dialer-list 1 protocol ip permit
    no cdp run
    !
    line con 0
    exec-timeout 0 0
    password <deleted>
    login
    line vty 0
    password <deleted>
    login
    transport input none
    line vty 1 4
    login
    transport input none
    !
    end
    **********SNAP**********

    Thanks in advance!


    Matthias
    Matthias Fischer, Jan 31, 2004
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Michel Hoogervorst

    Disable passive ftp in Mozilla 1.4

    Michel Hoogervorst, Jul 29, 2003, in forum: Firefox
    Replies:
    0
    Views:
    7,291
    Michel Hoogervorst
    Jul 29, 2003
  2. brian

    ftp passive command

    brian, Nov 22, 2003, in forum: Cisco
    Replies:
    0
    Views:
    556
    brian
    Nov 22, 2003
  3. Martial

    passive ftp on CSS 11150 fails

    Martial, Nov 24, 2004, in forum: Cisco
    Replies:
    1
    Views:
    501
    Martial
    Dec 1, 2004
  4. Diego Fernández

    FTP passive problem with PIX 515E

    Diego Fernández, Mar 7, 2006, in forum: Cisco
    Replies:
    5
    Views:
    7,715
    Diego Fernández
    Mar 9, 2006
  5. Giuen
    Replies:
    0
    Views:
    725
    Giuen
    Sep 12, 2008
Loading...

Share This Page