Configure 1801 for FTP connections over Internet

[MrOyvind]

I have a locally working IIS FTP server but I can not access it over the Internet.
I have tryed the configuration shown in Cisco cookbook 2nd Edition under contents about access lists but it didnt work.
I have not the IOS image with firewall and no other firwalls.
Im connected to Internet over fiber with DHCP.
Someone with config exsamples?
Thanks

 

[burtsbees]

Let's say your outgoing interface is G0/0, and the private IP address of the FTP server is 192.168.3.3, using port 21...
router>en
router#conf t
router(config)#ip nat inside source static tcp 192.168.3.3 21 int g0/0 21

Hope this helps.

Burt

 

[MrOyvind]

Thanks Burtsbees

I have used the exact method as you describe to open other ports but it does not work for my FTP.
Dont know whats wrong.
Im using no-ip.org for hosting but I cant access with my public IP too.
It worked when I used a Dlink router and I think my IIS settings is equal.

 

[kcbell]

Can you ftp within your the LAN network? May be the PC firewall is blocking it.

KC

 

[MrOyvind]

Port test displays port 21 and 20 as open over my public IP.
FTP works inside my private network too.
Something else that should be done in the router config?

 

[burtsbees]

Please post your FTP server LAN address, and the router interface connected to the internet.

Burt

 

[brianinms]

Do you have an access-lists configured on the router? Did you clear the nat translations on the router?

On the Ftp server, open a web browser and go to

http://www.grc.com

and do a Shieldsup scan and see if ftp is open.

 

[burtsbees]

Yes---please post a config. That would help a lot.
Good call, Brian.

Burt

 

[MrOyvind]

Hi,heres my current config 192.168.1.2 is my laptop and
192.168.1.4 is the computer hosting FTP.
They are both in default Vlan1.
Its a 8 port switch on this router.
Fe0 is connected to Internet and receive DHCP address from
my ISP.
Port 20 and is open and I cleared IP NAT Trans without success.

Thanks


Only MrOyvind will access

User Access Verification

Password:
mroyvind>en
Password:
mroyvind#sh ru
Building configuration...

Current configuration : 3519 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname mroyvind
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$j81K$.RtZdu4TKneyGj/4n1PBf0
!
no aaa new-model
!
resource policy
!
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1
ip dhcp excluded-address 192.168.1.5
ip dhcp excluded-address 192.168.1.3
ip dhcp excluded-address 192.168.1.2
ip dhcp excluded-address 192.168.1.4
ip dhcp excluded-address 192.168.1.6
!
ip dhcp pool 192.168.1.0\24
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
netbios-name-server 192.168.1.1
dns-server 81.167.36.3 81.167.36.11
!
ip dhcp pool 192.168.2.0\24
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
netbios-name-server 192.168.2.1
!
ip dhcp pool 192.168.3.0\24
network 192.168.3.0 255.255.255.0
default-router 192.168.3.1
netbios-name-server 192.168.3.1
!
!
ip host mroyvind 81.167.x.x 192.168.1.1
!
!
track 1 ip route 81.167.x.x 255.255.255.0 reachability
!
!
!
interface FastEthernet0
ip address dhcp
ip nat outside
duplex auto
speed auto
ntp broadcast client
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
switchport access vlan 2
vlan-id dot1q 2
exit-vlan-config
!
!
interface FastEthernet6
switchport access vlan 2
!
interface FastEthernet7
switchport access vlan 3
!
interface FastEthernet8
switchport access vlan 3
!
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
dsl operating-mode auto
!
interface Vlan1
ip address 192.168.1.1 255.255.255.0
ip nat inside
no routing dynamic
!
interface Vlan2
ip address 192.168.2.1 255.255.255.0
ip helper-address 192.168.3.1
ip nat inside
no routing dynamic
!
interface Vlan3
ip address 192.168.3.1 255.255.255.0
ip helper-address 192.168.2.1
ip nat inside
no routing dynamic
!
no ip forward-protocol udp
ip route 0.0.0.0 0.0.0.0 81.167.x.x permanent
ip dns server
ip dns primary ns1isp.mro.lyse.net soa ns2isp.ulh.lyse.net dns@lyse.net 21600 90
0 7776000 86400
!
ip http server
ip nat pool patpool 81.167.x.x 81.167.x.x netmask 255.255.255.0
ip nat inside source list 1 pool patpool overload
ip nat inside source list 2 pool patpool overload
ip nat inside source list 3 pool patpool overload
ip nat inside source static tcp 192.168.1.2 60002 interface FastEthernet0 60002
ip nat inside source static tcp 192.168.1.4 60000 interface FastEthernet0 60000
ip nat inside source static tcp 192.168.1.4 21 interface FastEthernet0 21
ip nat inside source static tcp 192.168.1.4 20 interface FastEthernet0 20
ip nat inside source static tcp 192.168.1.2 6891 interface FastEthernet0 6891
ip nat inside source static tcp 192.168.1.2 6901 interface FastEthernet0 6901
ip nat inside source static tcp 192.168.1.2 5190 interface FastEthernet0 5190
ip nat inside source static tcp 192.168.1.2 1863 interface FastEthernet0 1863
ip nat inside source static tcp 192.168.1.4 3389 interface FastEthernet0 3389
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 2 permit 192.168.2.0 0.0.0.255
access-list 2 permit 192.168.3.0 0.0.0.255
!
control-plane
!
banner login ^C Only MrOyvind will access ^C
!
line con 0
exec-timeout 0 0
password 7 094F471A1A0A
login
line aux 0
line vty 0 4
exec-timeout 0 0
password 7 004B5C490B5D08091A335F4B46564A
no vacant-message
login
!
end

mroyvind#

 

[burtsbees]

Not sure---try doing this...
router(config)#no ip nat inside source static tcp 192.168.1.4 3389 interface FastEthernet0 3389

and then see if you can ftp to it. Also, I am not sure you need this...
ip nat inside source static tcp 192.168.1.4 20 interface FastEthernet0 20

I can't remember, but it may be that once a tcp port is statically mapped to an IP via NAT, that's what it does.

Are you able to RDC from the outside to the FTP server?

Burt

 

[MrOyvind]

Hi
I can RDP outside and inside.
I just opned 3389 so I dont think its interacts with FTP ports but I will check it out.
IIS(Internet informations serrvice) was unstable yesterday,I will try to reinstall it later.

Thanks

Oyvind

 

[burtsbees]

Wait---once a port is mapped, that port cannot be associated with another IP address. I had it backwards...I remember having 2 FTP servers (one Windows and one UNIX) on my home network, and I used 21 for the Windows box, and had to use 2121 for the UNIX box.

Burt

 

[plshlpme]

if your rdp connection is working and your ftp connection isn't then check your iis and windows firewall settings..

your nat statements are correct.
21 for ftp connection and 20 for ftp data.

 

[burtsbees]

I have always just opened port 21...

Burt

 

[plshlpme]

hey burt you are probably using passive as opposed to active ftp connections then...

give this a read...

http://slacksite.com/other/ftp.html

 

[MrOyvind]

Hi I will test out a reinstall of IIS.
My desktop is not good at the moment and my experience with IIS is that it just suddenly works,and when its work it really works.Some stops,starts,reboots and voila.
Just my experience ?
I use the Utorrent portchecker and it showw 20 and 21 as open,isnt that a indication about the firewall is open and accepts FTP?


Thanks

Oyvind