1. Home
  2. Cisco Systems
  3. problem with FTP

problem with FTP

Seems to be my day for Cisco related issues. At new location of ours (inherited from another company) running a 2620 on 12.3(10) I'm unable to FTP from any of their workstations. I can get to sites, but I cannot pull a dir listing of any site. Doesn't seem to matter if the site is Linux or Microsoft, large company (Symantec) or small (ours), I cannot pull a directory listing.

I am able to login to the server and I see command confirmations when I issue things like binary and cd but not anything else.

This office has T1. If I replace the 2620 with a 1710 with a generic T1 config (ISP IP on the serial side and ISP provided IP on the ethernet0/0 side) and using a Linksys BEFSX41 for the "firewall" I'm able to FTP with no problem so I've got to have something wrong in my config. Here's the config:

Current configuration : 3774 bytes ! version 12.3 service timestamps debug datetime msec localtime service timestamps log datetime msec localtime service password-encryption ! hostname MattosLorton ! boot-start-marker boot system flash c2600-i-mz.12310.bin boot-end-marker ! logging rate-limit console 1000 no logging console enable secret 5 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXx enable password 7 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX ! clock timezone EST -5 clock summer-time EST recurring no aaa new-model ip subnet-zero no ip source-route ip cef ! ! no ip domain lookup ip domain name XXXXXXXXXXXXXXXXXXXX ip name-server 205.171.3.65 ip dhcp excluded-address 192.168.101.101 192.168.101.254 ! ip dhcp pool 1 network 192.168.101.0 255.255.255.0 default-router 192.168.101.254 dns-server 205.171.3.65 ! ! ! ! ! interface FastEthernet0/0 description connected to EthernetLAN ip address 192.168.101.254 255.255.255.0 ip access-group 100 in ip nat inside speed 100 full-duplex ! interface Serial0/0 description connected to Internet ip address 1.2.3.218 255.255.255.252 ip access-group 101 in no ip unreachables ip nat outside no fair-queue service-module t1 timeslots 1-24 service-module t1 remote-alarm-enable ! router rip version 2 passive-interface Serial0/0 network 67.0.0.0 no auto-summary ! ip nat inside source list 1 interface Serial0/0 overload ip nat inside source static 192.168.101.101 4.5.6.32 ip nat inside source static 192.168.101.102 4.5.6.33 ip nat inside source static 192.168.101.103 4.5.6.34 ip nat inside source static 192.168.101.104 4.5.6.35 ip nat inside source static 192.168.101.105 4.5.6.36 ip nat inside source static 192.168.101.106 4.5.6.37 no ip http server ip classless ip route 0.0.0.0 0.0.0.0 Serial0/0 ! ! access-list 1 permit 192.168.101.0 0.0.0.255 access-list 1 permit 192.168.1.0 0.0.0.255 access-list 100 permit ip any any log access-list 101 permit tcp any any established access-list 101 permit udp any eq domain any log access-list 101 permit icmp any any echo-reply log access-list 101 permit icmp any any time-exceeded log access-list 101 permit icmp any any port-unreachable log access-list 101 permit udp any eq domain any access-list 101 permit gre any any access-list 101 deny ip host 4.5.6.32 any access-list 101 deny ip host 4.5.6.33 any access-list 101 deny ip host 4.5.6.34 any access-list 101 deny ip host 4.5.6.35 any access-list 101 deny ip host 4.5.6.36 any access-list 101 deny ip host 4.5.6.37 any access-list 101 permit tcp any host 4.5.6.32 eq 3389 access-list 101 permit udp any host 4.5.6.32 eq 5901 access-list 101 deny ip any host 4.5.6.32 access-list 101 permit tcp any host 4.5.6.33 eq 3389 access-list 101 permit udp any host 4.5.6.33 eq 5902 access-list 101 deny ip any host 4.5.6.33 access-list 101 deny ip any host 4.5.6.34 access-list 101 permit tcp any host 4.5.6.35 eq 3389 access-list 101 permit udp any host 4.5.6.35 eq 5904 access-list 101 deny ip any host 4.5.6.35 access-list 101 permit tcp any host 4.5.6.36 eq 3389 access-list 101 permit udp any host 4.5.6.36 eq 5905 access-list 101 deny ip any host 4.5.6.36 access-list 101 permit tcp any host 4.5.6.37 eq 3389 access-list 101 permit udp any host 4.5.6.37 eq 5906 access-list 101 deny ip any host 4.5.6.37 snmp-server community XXXXXXXXXXXXX RO snmp-server enable traps tty ! line con 0 line aux 0 line vty 0 4 password 7 XXXXXXXXXXXXXXXXXXXXXXx login

Thanks... Brian Bergin

I can be reached via e-mail at cisco_dot_news_at_comcept_dot_net.

Please post replies to the group so all may benefit.

Reply to
Brian Bergin
Loading thread data ...

By default, FTP data connections are initiated by the server connecting back to the client, but your ACL 101 doesn't allow incoming TCP connections. If you configure your clients to use passive FTP it should work, though.

Is there supposed to be a pair of permits for 3389 and 5902 for 4.5.6.34 here, like the other addresses?

You might want to put:

access-list 101 deny ip any any log

at the end, at least when you're troubleshooting filter problems. This will show how you're interfering with the application.

Reply to
Barry Margolin

|By default, FTP data connections are initiated by the server connecting |back to the client, but your ACL 101 doesn't allow incoming TCP |connections. If you configure your clients to use passive FTP it should |work, though.

I need to be able to use ftp.exe which I don't think supports passive mode. How can I fix the ACL 101 to allow this?

Thanks... Brian Bergin

I can be reached via e-mail at cisco_dot_news_at_comcept_dot_net.

Please post replies to the group so all may benefit.

NOTICE: Use of this information is contingent upon acceptance of Paragraph 17 of Terabyte's Terms and conditions located at

formatting link

Reply to
Brian Bergin

access-list 101 permit tcp any eq ftp-data any gt 1023

Reply to
Barry Margolin

|access-list 101 permit tcp any eq ftp-data any gt 1023

Thanks! I'll add it today.

Thanks... Brian Bergin

I can be reached via e-mail at cisco_dot_news_at_comcept_dot_net.

Please post replies to the group so all may benefit.

NOTICE: Use of this information is contingent upon acceptance of Paragraph 17 of Terabyte's Terms and conditions located at

formatting link

Reply to
Brian Bergin

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.