Hi everybody. I am a Cisco newbie trying to configure NAT so any inbound ftp trafic gets redirected to a designated internal hosts. I thought it should be very simple to do SDM but I can not get it working. My WAN interface has ISP dynamically assigned IP address. It is probably the most commaon scenario but I found no example in the SDM
2.3.2 Users's Giude. Could someone help? Thank you, Tomasz
Hi Tomasz,
I am not dealing with SDM but you can do it easily by the command line:
ip nat inside source static tcp 21 interface 21 ip nat inside source static tcp 20 interface 20
Cheers,
Robert
Hi Rob,
Just one more thing: how do I enable ftp on the firewall? Here is what I have been trying - these are my first two rules:
access-list 102 permit tcp any eq ftp host eq ftp access-list 102 permit tcp any eq ftp-data host eq ftp-data
but it does not work. Am I missing something? Rule 102 is applied to the dialer0 interface: ip access-group 102 in
Tomasz
Thomas,
If you want to allow access on your FTP server from the Internet you should allow traffic on TCP:21 and TCP:20 from any Internet host onto your FTP host public ip address. This ACL should be applied in your case onto dialer interface (inbound direction).
Best regards, Igor
Hi Igor,
My configuration, attached below, is as you suggest but it does not work. Any suggestions? Please advise.
Tomasz
interface Dialer0 ip access-group 102 in no ip redirects no ip unreachables no ip proxy-arp ip inspect SDM_MEDIUM out ip nat outside ip virtual-reassembly ip route-cache flow dialer pool 1 no cdp enable ! ip nat inside source list 110 interface Dialer0 overload ip nat inside source static tcp 21 interface Dialer0 21 ip nat inside source static tcp 20 interface Dialer0 20 ! access-list 102 permit tcp any eq ftp host eq ftp access-list 102 permit tcp any eq ftp-data host eq ftp-data access-list 110 permit ip 192.168.2.0 0.0.0.255 any
access-list 102 permit tcp any host eq ftp access-list 102 permit tcp any host eq ftp-data
I guess that this is what you want.
The ftp clients will choose their source ports arbitrarily and will I believe always be > 1023 so I guess
access-list 102 permit tcp any gt 1023 host eq ftp access-list 102 permit tcp any gt 1023 host eq ftp-data
is better?
Note that I think that this will only work with "passive" ftp, which is mostly what people do nowadays anyway I think.
using inspect inbound MAY allow non-passive (Active?) ftp to work. Don't know.
I tried but it did not work. Thank you, Tomasz
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.