How to redirect ftp port for inbound traffic?

Discussion in 'Cisco' started by thomas, Aug 21, 2006.

  1. thomas

    thomas Guest

    Hi everybody.
    I am a Cisco newbie trying to configure NAT so any inbound ftp trafic gets
    redirected to a designated internal hosts.
    I thought it should be very simple to do SDM but I can not get it working.
    My WAN interface has ISP dynamically assigned IP address.
    It is probably the most commaon scenario but I found no example in the SDM
    2.3.2 Users's Giude.
    Could someone help?
    Thank you,
    Tomasz
     
    thomas, Aug 21, 2006
    #1
    1. Advertising

  2. In article <IIcGg.2830$>,
    "thomas" <> wrote:

    > Hi everybody.
    > I am a Cisco newbie trying to configure NAT so any inbound ftp trafic gets
    > redirected to a designated internal hosts.
    > I thought it should be very simple to do SDM but I can not get it working.
    > My WAN interface has ISP dynamically assigned IP address.
    > It is probably the most commaon scenario but I found no example in the SDM
    > 2.3.2 Users's Giude.
    > Could someone help?
    > Thank you,
    > Tomasz


    Hi Tomasz,

    I am not dealing with SDM but you can do it easily by the command line:

    ip nat inside source static tcp <LAN-IP> 21 interface <Dialer to your
    ISP> 21
    ip nat inside source static tcp <LAN-IP> 20 interface <Dialer to your
    ISP> 20

    Cheers,

    Robert
     
    Robert Langdon, Aug 23, 2006
    #2
    1. Advertising

  3. thomas

    thomas Guest

    "Robert Langdon" <> wrote in message
    news:...
    > In article <IIcGg.2830$>,
    > "thomas" <> wrote:
    >
    >> Hi everybody.
    >> I am a Cisco newbie trying to configure NAT so any inbound ftp trafic
    >> gets
    >> redirected to a designated internal hosts.
    >> I thought it should be very simple to do SDM but I can not get it
    >> working.
    >> My WAN interface has ISP dynamically assigned IP address.
    >> It is probably the most commaon scenario but I found no example in the
    >> SDM
    >> 2.3.2 Users's Giude.
    >> Could someone help?
    >> Thank you,
    >> Tomasz

    >
    > Hi Tomasz,
    >
    > I am not dealing with SDM but you can do it easily by the command line:
    >
    > ip nat inside source static tcp <LAN-IP> 21 interface <Dialer to your
    > ISP> 21
    > ip nat inside source static tcp <LAN-IP> 20 interface <Dialer to your
    > ISP> 20
    >
    > Cheers,
    >
    > Robert


    Hi Rob,

    Just one more thing: how do I enable ftp on the firewall?
    Here is what I have been trying - these are my first two rules:

    access-list 102 permit tcp any eq ftp host <int_host_ip> eq ftp
    access-list 102 permit tcp any eq ftp-data host <int_host_ip> eq ftp-data

    but it does not work. Am I missing something?
    Rule 102 is applied to the dialer0 interface: ip access-group 102 in

    Tomasz
     
    thomas, Aug 29, 2006
    #3
  4. thomas

    Igor Mamuzic Guest

    Thomas,

    If you want to allow access on your FTP server from the Internet you should
    allow traffic on TCP:21 and TCP:20 from any Internet host onto your FTP host
    public ip address. This ACL should be applied in your case onto dialer
    interface (inbound direction).

    Best regards,
    Igor



    "thomas" <> wrote in message
    news:i6RIg.3690$...
    >
    > "Robert Langdon" <> wrote in message
    > news:...
    >> In article <IIcGg.2830$>,
    >> "thomas" <> wrote:
    >>
    >>> Hi everybody.
    >>> I am a Cisco newbie trying to configure NAT so any inbound ftp trafic
    >>> gets
    >>> redirected to a designated internal hosts.
    >>> I thought it should be very simple to do SDM but I can not get it
    >>> working.
    >>> My WAN interface has ISP dynamically assigned IP address.
    >>> It is probably the most commaon scenario but I found no example in the
    >>> SDM
    >>> 2.3.2 Users's Giude.
    >>> Could someone help?
    >>> Thank you,
    >>> Tomasz

    >>
    >> Hi Tomasz,
    >>
    >> I am not dealing with SDM but you can do it easily by the command line:
    >>
    >> ip nat inside source static tcp <LAN-IP> 21 interface <Dialer to your
    >> ISP> 21
    >> ip nat inside source static tcp <LAN-IP> 20 interface <Dialer to your
    >> ISP> 20
    >>
    >> Cheers,
    >>
    >> Robert

    >
    > Hi Rob,
    >
    > Just one more thing: how do I enable ftp on the firewall?
    > Here is what I have been trying - these are my first two rules:
    >
    > access-list 102 permit tcp any eq ftp host <int_host_ip> eq ftp
    > access-list 102 permit tcp any eq ftp-data host <int_host_ip> eq ftp-data
    >
    > but it does not work. Am I missing something?
    > Rule 102 is applied to the dialer0 interface: ip access-group 102 in
    >
    > Tomasz
    >
     
    Igor Mamuzic, Aug 29, 2006
    #4
  5. thomas

    thomas Guest

    Hi Igor,

    My configuration, attached below, is as you suggest but it does not work.
    Any suggestions?
    Please advise.

    Tomasz

    interface Dialer0
    ip access-group 102 in
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip inspect SDM_MEDIUM out
    ip nat outside
    ip virtual-reassembly
    ip route-cache flow
    dialer pool 1
    no cdp enable
    !
    ip nat inside source list 110 interface Dialer0 overload
    ip nat inside source static tcp <ftp_host_ip> 21 interface Dialer0 21
    ip nat inside source static tcp <ftp_host_ip> 20 interface Dialer0 20
    !
    access-list 102 permit tcp any eq ftp host <ftp_host_ip> eq ftp
    access-list 102 permit tcp any eq ftp-data host <ftp_host_ip> eq ftp-data
    access-list 110 permit ip 192.168.2.0 0.0.0.255 any


    "Igor Mamuzic" <> wrote in message
    news:ed0rmf$p2g$...
    > Thomas,
    >
    > If you want to allow access on your FTP server from the Internet you
    > should allow traffic on TCP:21 and TCP:20 from any Internet host onto your
    > FTP host public ip address. This ACL should be applied in your case onto
    > dialer interface (inbound direction).
    >
    > Best regards,
    > Igor
    >
    >
    >
    > "thomas" <> wrote in message
    > news:i6RIg.3690$...
    >>
    >> "Robert Langdon" <> wrote in message
    >> news:...
    >>> In article <IIcGg.2830$>,
    >>> "thomas" <> wrote:
    >>>
    >>>> Hi everybody.
    >>>> I am a Cisco newbie trying to configure NAT so any inbound ftp trafic
    >>>> gets
    >>>> redirected to a designated internal hosts.
    >>>> I thought it should be very simple to do SDM but I can not get it
    >>>> working.
    >>>> My WAN interface has ISP dynamically assigned IP address.
    >>>> It is probably the most commaon scenario but I found no example in the
    >>>> SDM
    >>>> 2.3.2 Users's Giude.
    >>>> Could someone help?
    >>>> Thank you,
    >>>> Tomasz
    >>>
    >>> Hi Tomasz,
    >>>
    >>> I am not dealing with SDM but you can do it easily by the command line:
    >>>
    >>> ip nat inside source static tcp <LAN-IP> 21 interface <Dialer to your
    >>> ISP> 21
    >>> ip nat inside source static tcp <LAN-IP> 20 interface <Dialer to your
    >>> ISP> 20
    >>>
    >>> Cheers,
    >>>
    >>> Robert

    >>
    >> Hi Rob,
    >>
    >> Just one more thing: how do I enable ftp on the firewall?
    >> Here is what I have been trying - these are my first two rules:
    >>
    >> access-list 102 permit tcp any eq ftp host <int_host_ip> eq ftp
    >> access-list 102 permit tcp any eq ftp-data host <int_host_ip> eq ftp-data
    >>
    >> but it does not work. Am I missing something?
    >> Rule 102 is applied to the dialer0 interface: ip access-group 102 in
    >>
    >> Tomasz
    >>

    >
    >
     
    thomas, Aug 30, 2006
    #5
  6. thomas

    Guest

    thomas wrote:
    > Hi Igor,
    >
    > My configuration, attached below, is as you suggest but it does not work.
    > Any suggestions?
    > Please advise.
    >
    > Tomasz
    >
    > interface Dialer0
    > ip access-group 102 in
    > no ip redirects
    > no ip unreachables
    > no ip proxy-arp
    > ip inspect SDM_MEDIUM out
    > ip nat outside
    > ip virtual-reassembly
    > ip route-cache flow
    > dialer pool 1
    > no cdp enable
    > !
    > ip nat inside source list 110 interface Dialer0 overload
    > ip nat inside source static tcp <ftp_host_ip> 21 interface Dialer0 21
    > ip nat inside source static tcp <ftp_host_ip> 20 interface Dialer0 20
    > !
    > access-list 102 permit tcp any eq ftp host <ftp_host_ip> eq ftp
    > access-list 102 permit tcp any eq ftp-data host <ftp_host_ip> eq ftp-data
    > access-list 110 permit ip 192.168.2.0 0.0.0.255 any
    >
    >
    > "Igor Mamuzic" <> wrote in message
    > news:ed0rmf$p2g$...
    > > Thomas,
    > >
    > > If you want to allow access on your FTP server from the Internet you
    > > should allow traffic on TCP:21 and TCP:20 from any Internet host onto your
    > > FTP host public ip address. This ACL should be applied in your case onto
    > > dialer interface (inbound direction).
    > >
    > > Best regards,
    > > Igor
    > >
    > >
    > >
    > > "thomas" <> wrote in message
    > > news:i6RIg.3690$...
    > >>
    > >> "Robert Langdon" <> wrote in message
    > >> news:...
    > >>> In article <IIcGg.2830$>,
    > >>> "thomas" <> wrote:
    > >>>
    > >>>> Hi everybody.
    > >>>> I am a Cisco newbie trying to configure NAT so any inbound ftp trafic
    > >>>> gets
    > >>>> redirected to a designated internal hosts.
    > >>>> I thought it should be very simple to do SDM but I can not get it
    > >>>> working.
    > >>>> My WAN interface has ISP dynamically assigned IP address.
    > >>>> It is probably the most commaon scenario but I found no example in the
    > >>>> SDM
    > >>>> 2.3.2 Users's Giude.
    > >>>> Could someone help?
    > >>>> Thank you,
    > >>>> Tomasz
    > >>>
    > >>> Hi Tomasz,
    > >>>
    > >>> I am not dealing with SDM but you can do it easily by the command line:
    > >>>
    > >>> ip nat inside source static tcp <LAN-IP> 21 interface <Dialer to your
    > >>> ISP> 21
    > >>> ip nat inside source static tcp <LAN-IP> 20 interface <Dialer to your
    > >>> ISP> 20
    > >>>
    > >>> Cheers,
    > >>>
    > >>> Robert
    > >>
    > >> Hi Rob,
    > >>
    > >> Just one more thing: how do I enable ftp on the firewall?
    > >> Here is what I have been trying - these are my first two rules:
    > >>
    > >> access-list 102 permit tcp any eq ftp host <int_host_ip> eq ftp
    > >> access-list 102 permit tcp any eq ftp-data host <int_host_ip> eq ftp-data
    > >>
    > >> but it does not work. Am I missing something?
    > >> Rule 102 is applied to the dialer0 interface: ip access-group 102 in
    > >>
    > >> Tomasz


    access-list 102 permit tcp any host <int_host_ip> eq ftp
    access-list 102 permit tcp any host <int_host_ip> eq ftp-data

    I guess that this is what you want.

    The ftp clients will choose their source ports arbitrarily
    and will I believe always be > 1023 so I guess

    access-list 102 permit tcp any gt 1023 host <int_host_ip> eq ftp
    access-list 102 permit tcp any gt 1023 host <int_host_ip> eq ftp-data

    is better?

    Note that I think that this will only work with "passive" ftp,
    which is mostly what people do nowadays anyway I think.

    using inspect inbound MAY allow non-passive (Active?)
    ftp to work. Don't know.
     
    , Aug 30, 2006
    #6
  7. thomas

    thomas Guest

    <> wrote in message
    news:...
    >
    > thomas wrote:
    >> Hi Igor,
    >>
    >> My configuration, attached below, is as you suggest but it does not work.
    >> Any suggestions?
    >> Please advise.
    >>
    >> Tomasz
    >>
    >> interface Dialer0
    >> ip access-group 102 in
    >> no ip redirects
    >> no ip unreachables
    >> no ip proxy-arp
    >> ip inspect SDM_MEDIUM out
    >> ip nat outside
    >> ip virtual-reassembly
    >> ip route-cache flow
    >> dialer pool 1
    >> no cdp enable
    >> !
    >> ip nat inside source list 110 interface Dialer0 overload
    >> ip nat inside source static tcp <ftp_host_ip> 21 interface Dialer0 21
    >> ip nat inside source static tcp <ftp_host_ip> 20 interface Dialer0 20
    >> !
    >> access-list 102 permit tcp any eq ftp host <ftp_host_ip> eq ftp
    >> access-list 102 permit tcp any eq ftp-data host <ftp_host_ip> eq ftp-data
    >> access-list 110 permit ip 192.168.2.0 0.0.0.255 any
    >>
    >>
    >> "Igor Mamuzic" <> wrote in message
    >> news:ed0rmf$p2g$...
    >> > Thomas,
    >> >
    >> > If you want to allow access on your FTP server from the Internet you
    >> > should allow traffic on TCP:21 and TCP:20 from any Internet host onto
    >> > your
    >> > FTP host public ip address. This ACL should be applied in your case
    >> > onto
    >> > dialer interface (inbound direction).
    >> >
    >> > Best regards,
    >> > Igor
    >> >
    >> >
    >> >
    >> > "thomas" <> wrote in message
    >> > news:i6RIg.3690$...
    >> >>
    >> >> "Robert Langdon" <> wrote in message
    >> >> news:...
    >> >>> In article <IIcGg.2830$>,
    >> >>> "thomas" <> wrote:
    >> >>>
    >> >>>> Hi everybody.
    >> >>>> I am a Cisco newbie trying to configure NAT so any inbound ftp
    >> >>>> trafic
    >> >>>> gets
    >> >>>> redirected to a designated internal hosts.
    >> >>>> I thought it should be very simple to do SDM but I can not get it
    >> >>>> working.
    >> >>>> My WAN interface has ISP dynamically assigned IP address.
    >> >>>> It is probably the most commaon scenario but I found no example in
    >> >>>> the
    >> >>>> SDM
    >> >>>> 2.3.2 Users's Giude.
    >> >>>> Could someone help?
    >> >>>> Thank you,
    >> >>>> Tomasz
    >> >>>
    >> >>> Hi Tomasz,
    >> >>>
    >> >>> I am not dealing with SDM but you can do it easily by the command
    >> >>> line:
    >> >>>
    >> >>> ip nat inside source static tcp <LAN-IP> 21 interface <Dialer to your
    >> >>> ISP> 21
    >> >>> ip nat inside source static tcp <LAN-IP> 20 interface <Dialer to your
    >> >>> ISP> 20
    >> >>>
    >> >>> Cheers,
    >> >>>
    >> >>> Robert
    >> >>
    >> >> Hi Rob,
    >> >>
    >> >> Just one more thing: how do I enable ftp on the firewall?
    >> >> Here is what I have been trying - these are my first two rules:
    >> >>
    >> >> access-list 102 permit tcp any eq ftp host <int_host_ip> eq ftp
    >> >> access-list 102 permit tcp any eq ftp-data host <int_host_ip> eq
    >> >> ftp-data
    >> >>
    >> >> but it does not work. Am I missing something?
    >> >> Rule 102 is applied to the dialer0 interface: ip access-group 102 in
    >> >>
    >> >> Tomasz

    >
    > access-list 102 permit tcp any host <int_host_ip> eq ftp
    > access-list 102 permit tcp any host <int_host_ip> eq ftp-data
    >
    > I guess that this is what you want.
    >
    > The ftp clients will choose their source ports arbitrarily
    > and will I believe always be > 1023 so I guess
    >
    > access-list 102 permit tcp any gt 1023 host <int_host_ip> eq ftp
    > access-list 102 permit tcp any gt 1023 host <int_host_ip> eq ftp-data
    >
    > is better?
    >
    > Note that I think that this will only work with "passive" ftp,
    > which is mostly what people do nowadays anyway I think.
    >
    > using inspect inbound MAY allow non-passive (Active?)
    > ftp to work. Don't know.
    >


    I tried but it did not work.
    Thank you,
    Tomasz
     
    thomas, Sep 2, 2006
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Andrew Albert
    Replies:
    3
    Views:
    3,616
    Barry Margolin
    Jul 21, 2004
  2. Gibo_ie

    Traffic redirect on a 1601R

    Gibo_ie, Oct 1, 2004, in forum: Cisco
    Replies:
    4
    Views:
    791
  3. Hypno999

    traffic-shaping limit ftp traffic

    Hypno999, Oct 7, 2005, in forum: Cisco
    Replies:
    5
    Views:
    3,687
  4. Replies:
    0
    Views:
    3,320
  5. Giuen
    Replies:
    0
    Views:
    1,434
    Giuen
    Sep 12, 2008
Loading...

Share This Page