FTP problem - urgent help

Discussion in 'Cisco' started by Yepp, Nov 1, 2003.

  1. Yepp

    Yepp Guest

    Hi,

    I'm setting up a ftp server on my LAN, running wu-2.6 (comes with
    RH7.1), this box is behind a Cisco 1720, static NATed, running IOS
    firewall. I've tested the connection with FTP client, FTP command
    comes with Windows, they're all fine & working properly.

    However, when I used IE to browse the FTP server, I got below
    error msg after I typed my username & pwd. But when I click 'Refresh'
    button under IE, I could get access to the ftp server.

    'Window cannot access the folder, make sure you typed the
    filename correctly and you have permission. The connection with server
    was reset'

    If I browse it on my LAN worktation, the error msg didn't come
    up. Not sure if the problem is realted to my router ACL or inspect
    command. Here's the router configuration. Pls help !

    ip inspect name s0-inspect-out ftp
    ip inspect name s0-inspect-out tcp
    ip inspect name s0-inspect-out udp
    ip inspect name f0-inspect-out tcp
    ip inspect name f0-inspect-out ftp
    ip inspect name f0-inspect-out udp

    interface FastEthernet0
    description Inside Interface
    ip access-group fe-in in
    ip inspect f0-inspect-out out

    interface Serial0
    description ISP Interface
    ip access-group s0-in in
    ip inspect s0-inspect-out out

    ip access-list extended fe-in
    permit 10.10.0.0 0.0.255.255 any eq ftp-data
    permit 10.10.0.0 0.0.255.255 any eq ftp

    ip access-list extended s0-in
    permit tcp any host 200.10.10.1 eq ftp
     
    Yepp, Nov 1, 2003
    #1
    1. Advertisements

  2. Yepp

    Andre Beck Guest

    ^^^^^

    Ehem - you are really sure you want to plug *this* version of WU to the
    Internet?
    Sounds like some silly Windows issue. But maybe IE first tries to
    establish passive FTP and later falls back to active FTP. Then again,
    from an application layer inspection point of view, this should not
    make any difference.
    Hmm. Know this from somewhere.
    Ah, hell. That looks like the stuff that some of these windows based
    Cisco configuration tools produces, I forgot the name. I really
    recommend to change this into something like

    int s0
    ip access-group internet-in in
    ip access-group internet-out out
    ip inspect incoming in
    ip inspect outgoing out

    unless you *actually* need CBAC on the fa0 inside interface. ACLs and
    inspectors stay essentially the same, they are just renamed and applied
    to the one interface that really requires them - the outside one.
    The ftp-data here is likely to be superfluous. If there is any need to
    pass ftp-data, the ftp inspector would have noticed by inspection of the
    FTP control connection and would have prepended permit rules to that
    ACL with the exact IPs and ports. You could verify this with a "show
    access-lists" command, the rule should not have counted up any packets.
    The setup looks normal, despite the distribution on two interfaces. It
    should pass any FTP the inspector can recognize in either direction,
    be it active or passive.
     
    Andre Beck, Nov 1, 2003
    #2
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.