Hi,
I`ve been fighting with my new Cisco 837 to get inbound connections working on my fixed IP adsl link with very limited success. Outbound internet access is working fine. Its got a few people stumped and I need to get this working as soon as possible, if any of you guys can offer any sort of advice, it would be gratefully received if so!
I have posted my config below, but first I can give you some information about my LAN: This router is a secondary router on the LAN and will be used for such things as a backup internet connetcion, and inbound FTP handling and maybe used to server some basic static websites in the future.
The FTP server in the background is set to have this router's IP as its default gateway on the LAN so there shouldn`t be a problem. I had FTP working (of sorts), I managed to get a connection in, logged in and when I do a get command, it just hangs there and times out. The netstat command on the FTP box shows port 21 as established and port 20 as established but later turns to time_wait and close_wait. I have tried Windows and Linux servers as the backend FTP server, both do the same when I try to connect from the outside.
Config:
Building configuration...
Current configuration : 5173 bytes
!
version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname C837
!
boot-start-marker
boot-end-marker
!
memory-size iomem 15
logging buffered 51200 debugging
logging console critical
enable secret 5 xxxxxxxxxxxxxxxxx
!
username xxxxx privilege 15 secret 5 xxxxxxxxxxxxxxxxxxxxxx
clock timezone PCTime 0
clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00
no aaa new-model
ip subnet-zero
no ip source-route
ip tcp synwait-time 10
ip domain name xxxxxxxxxxx
ip name-server 192.168.111.x
ip name-server 192.168.111.x
!
!
no ip bootp server
ip cef
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp alert on audit-trail on
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tcp alert on audit-trail on
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip audit notify log
ip audit po max-events 100
ip ssh time-out 60
ip ssh authentication-retries 2
no ftp-server write-enable
!
!
!
no crypto isakmp enable
!
!
!
!
interface Ethernet0
description $FW_INSIDE$$ETH-LAN$$INTF-INFO-Ethernet 10/100$
ip address 192.168.111.xx 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip route-cache flow
ip tcp adjust-mss 1452
no cdp enable
hold-queue 100 out
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode itu-dmt
!
interface ATM0.1 point-to-point
pvc 0/38
pppoe-client dial-pool-number 1
!
!
interface Dialer0
description $FW_OUTSIDE$
ip address xx.xx.xx.xx xx.xx.xx.xx
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1452
ip nat outside
ip inspect DEFAULT100 in
ip inspect DEFAULT100 out
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
ppp chap password 7 xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
ppp pap sent-username xxxxxxxxxxxxxxxxxxxxxxxxxx password 7 xxxxxxxxxxxxxxxxxx
!
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 192.168.111.8 20 xx.xx.xx.xx 20 extendable
ip nat inside source static tcp 192.168.111.8 21 xx.xx.xx.xx 21 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 192.168.111.0 255.255.255.0 Ethernet0
ip http server
ip http authentication local
ip http secure-server
!
!
logging trap debugging
access-list 1 remark INSIDE_IF=Ethernet0
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.111.0 0.0.0.255
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 permit tcp any host 192.168.111.8 eq ftp-data log
access-list 100 permit tcp any host 192.168.111.8 eq ftp log
access-list 100 deny ip xx.xx.xx.xx 0.0.0.3 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 deny tcp any host xx.xx.xx.xx eq access-list 101 deny ip 192.168.111.0 0.0.0.255 any
access-list 101 permit tcp any host xx.xx.xx.xx eq ftp log
access-list 101 permit tcp any host xx.xx.xx.xx eq ftp-data log
access-list 101 permit icmp any host xx.xx.xx.xx echo-reply
access-list 101 permit icmp any host xx.xx.xx.xx time-exceeded
access-list 101 permit icmp any host xx.xx.xx.xx unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any log
dialer-list 1 protocol ip permit
no cdp run
!
control-plane
!
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
no modem enable
transport preferred all
transport output telnet
line aux 0
login local
transport preferred all
transport output telnet
line vty 0 4
privilege level 15
login local
transport preferred all
transport input telnet ssh
transport output all
!
scheduler max-task-time 5000
scheduler interval 500
!
end
Thanks in advance!
I`ve been fighting with my new Cisco 837 to get inbound connections working on my fixed IP adsl link with very limited success. Outbound internet access is working fine. Its got a few people stumped and I need to get this working as soon as possible, if any of you guys can offer any sort of advice, it would be gratefully received if so!
I have posted my config below, but first I can give you some information about my LAN: This router is a secondary router on the LAN and will be used for such things as a backup internet connetcion, and inbound FTP handling and maybe used to server some basic static websites in the future.
The FTP server in the background is set to have this router's IP as its default gateway on the LAN so there shouldn`t be a problem. I had FTP working (of sorts), I managed to get a connection in, logged in and when I do a get command, it just hangs there and times out. The netstat command on the FTP box shows port 21 as established and port 20 as established but later turns to time_wait and close_wait. I have tried Windows and Linux servers as the backend FTP server, both do the same when I try to connect from the outside.
Config:
Building configuration...
Current configuration : 5173 bytes
!
version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname C837
!
boot-start-marker
boot-end-marker
!
memory-size iomem 15
logging buffered 51200 debugging
logging console critical
enable secret 5 xxxxxxxxxxxxxxxxx
!
username xxxxx privilege 15 secret 5 xxxxxxxxxxxxxxxxxxxxxx
clock timezone PCTime 0
clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00
no aaa new-model
ip subnet-zero
no ip source-route
ip tcp synwait-time 10
ip domain name xxxxxxxxxxx
ip name-server 192.168.111.x
ip name-server 192.168.111.x
!
!
no ip bootp server
ip cef
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp alert on audit-trail on
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tcp alert on audit-trail on
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip audit notify log
ip audit po max-events 100
ip ssh time-out 60
ip ssh authentication-retries 2
no ftp-server write-enable
!
!
!
no crypto isakmp enable
!
!
!
!
interface Ethernet0
description $FW_INSIDE$$ETH-LAN$$INTF-INFO-Ethernet 10/100$
ip address 192.168.111.xx 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip route-cache flow
ip tcp adjust-mss 1452
no cdp enable
hold-queue 100 out
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode itu-dmt
!
interface ATM0.1 point-to-point
pvc 0/38
pppoe-client dial-pool-number 1
!
!
interface Dialer0
description $FW_OUTSIDE$
ip address xx.xx.xx.xx xx.xx.xx.xx
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1452
ip nat outside
ip inspect DEFAULT100 in
ip inspect DEFAULT100 out
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
ppp chap password 7 xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
ppp pap sent-username xxxxxxxxxxxxxxxxxxxxxxxxxx password 7 xxxxxxxxxxxxxxxxxx
!
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 192.168.111.8 20 xx.xx.xx.xx 20 extendable
ip nat inside source static tcp 192.168.111.8 21 xx.xx.xx.xx 21 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 192.168.111.0 255.255.255.0 Ethernet0
ip http server
ip http authentication local
ip http secure-server
!
!
logging trap debugging
access-list 1 remark INSIDE_IF=Ethernet0
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.111.0 0.0.0.255
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 permit tcp any host 192.168.111.8 eq ftp-data log
access-list 100 permit tcp any host 192.168.111.8 eq ftp log
access-list 100 deny ip xx.xx.xx.xx 0.0.0.3 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 deny tcp any host xx.xx.xx.xx eq access-list 101 deny ip 192.168.111.0 0.0.0.255 any
access-list 101 permit tcp any host xx.xx.xx.xx eq ftp log
access-list 101 permit tcp any host xx.xx.xx.xx eq ftp-data log
access-list 101 permit icmp any host xx.xx.xx.xx echo-reply
access-list 101 permit icmp any host xx.xx.xx.xx time-exceeded
access-list 101 permit icmp any host xx.xx.xx.xx unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any log
dialer-list 1 protocol ip permit
no cdp run
!
control-plane
!
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
no modem enable
transport preferred all
transport output telnet
line aux 0
login local
transport preferred all
transport output telnet
line vty 0 4
privilege level 15
login local
transport preferred all
transport input telnet ssh
transport output all
!
scheduler max-task-time 5000
scheduler interval 500
!
end
Thanks in advance!
