Sign in with
Sign up | Sign in
Your question
Solved

Problem opening ports for FTP on Cisco Router. Help.

Tags:
  • Routers
  • IP
  • Networking
  • Cisco
  • FTP
Last response: in Networking
Share
February 10, 2014 3:21:09 PM

I have a home lab set up with a cisco router running NAT to my cable modem and a few switches. I am having trouble getting access to my FTP server via the WAN.

Here is the config i am currently running:

interface FastEthernet0/0
ip address 10.10.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface FastEthernet0/1
ip address dhcp
ip access-group 110 in
no ip redirects
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
ip forward-protocol nd
!
!
no ip http server
ip nat inside source list NAT interface FastEthernet0/1 overload
ip nat inside source static tcp 10.10.10.2 20 x.x.x.x 20 extendable
ip nat inside source static tcp 10.10.10.2 21 x.x.x.x 21 extendable
!
ip access-list standard NAT
permit 10.10.10.0 0.0.0.255
!
access-list 110 permit tcp any host 10.10.10.2 range ftp-data ftp
access-list 110 permit tcp any host 10.10.10.2 eq ftp
access-list 110 permit ip any any



Can anyone advise on what i am doing wrong?

Thanks

More about : problem opening ports ftp cisco router

February 10, 2014 4:18:02 PM

use ip nat inside source static tcp 10.10.10.2 20 interface fa0/1 20
m
0
l
February 10, 2014 4:32:07 PM

bill001g said:
use ip nat inside source static tcp 10.10.10.2 20 interface fa0/1 20


I did try that one as well with no luck.

interface FastEthernet0/0
ip address 10.10.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface FastEthernet0/1
ip address dhcp
ip access-group 110 in
no ip redirects
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
ip forward-protocol nd
!
!
no ip http server
ip nat inside source list NAT interface FastEthernet0/1 overload
ip nat inside source static tcp 10.10.10.2 20 interface FastEthernet0/1 20
ip nat inside source static tcp 10.10.10.2 21 interface FastEthernet0/1 21
!
ip access-list standard NAT
permit 10.10.10.0 0.0.0.255
!
access-list 110 permit tcp any host 10.10.10.2 range ftp-data ftp
access-list 110 permit tcp any host 10.10.10.2 eq ftp
access-list 110 permit ip any any
m
0
l
Related resources
February 10, 2014 5:13:43 PM

That is very strange I have always done it that way.

I would try a debug on the ip nat and see if you are even getting the packets.

The 110 access list does nothing first because it has all permit statements. Next access lists are evaluated before that nat is done so the ip would be the ip that was being assigned to the fa 0/1 interface not the value after the nat. If you were put in the address assigned by the dhcp and put the log option on you might see the packets.
m
0
l

Best solution

February 11, 2014 4:42:43 PM

Remove those NAT statements relating to '20' & '21' and see what happens:

ip nat inside source static tcp 10.10.10.2 20 x.x.x.x 20 extendable
ip nat inside source static tcp 10.10.10.2 21 x.x.x.x 21 extendable
ip nat inside source static tcp 10.10.10.2 20 interface FastEthernet0/1 20
ip nat inside source static tcp 10.10.10.2 21 interface FastEthernet0/1 21
Share
!