Problem opening ports for FTP on Cisco Router. Help.

Toggle sidebar Toggle sidebar
R

rhullinghorst

Distinguished
Dec 10, 2009
2
0
18,510
I have a home lab set up with a cisco router running NAT to my cable modem and a few switches. I am having trouble getting access to my FTP server via the WAN.

Here is the config i am currently running:

interface FastEthernet0/0
ip address 10.10.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface FastEthernet0/1
ip address dhcp
ip access-group 110 in
no ip redirects
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
ip forward-protocol nd
!
!
no ip http server
ip nat inside source list NAT interface FastEthernet0/1 overload
ip nat inside source static tcp 10.10.10.2 20 x.x.x.x 20 extendable
ip nat inside source static tcp 10.10.10.2 21 x.x.x.x 21 extendable
!
ip access-list standard NAT
permit 10.10.10.0 0.0.0.255
!
access-list 110 permit tcp any host 10.10.10.2 range ftp-data ftp
access-list 110 permit tcp any host 10.10.10.2 eq ftp
access-list 110 permit ip any any



Can anyone advise on what i am doing wrong?

Thanks
 
Solution
MartinWilson
Remove those NAT statements relating to '20' & '21' and see what happens:

ip nat inside source static tcp 10.10.10.2 20 x.x.x.x 20 extendable
ip nat inside source static tcp 10.10.10.2 21 x.x.x.x 21 extendable
ip nat inside source static tcp 10.10.10.2 20 interface FastEthernet0/1 20
ip nat inside source static tcp 10.10.10.2 21 interface FastEthernet0/1 21
Sort by date Sort by votes
R

rhullinghorst

Distinguished
Dec 10, 2009
2
0
18,510


I did try that one as well with no luck.

interface FastEthernet0/0
ip address 10.10.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface FastEthernet0/1
ip address dhcp
ip access-group 110 in
no ip redirects
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
ip forward-protocol nd
!
!
no ip http server
ip nat inside source list NAT interface FastEthernet0/1 overload
ip nat inside source static tcp 10.10.10.2 20 interface FastEthernet0/1 20
ip nat inside source static tcp 10.10.10.2 21 interface FastEthernet0/1 21
!
ip access-list standard NAT
permit 10.10.10.0 0.0.0.255
!
access-list 110 permit tcp any host 10.10.10.2 range ftp-data ftp
access-list 110 permit tcp any host 10.10.10.2 eq ftp
access-list 110 permit ip any any
 
Upvote 0 Downvote
B

bill001g

Titan
Aug 9, 2012
28,364
2,766
125,640
That is very strange I have always done it that way.

I would try a debug on the ip nat and see if you are even getting the packets.

The 110 access list does nothing first because it has all permit statements. Next access lists are evaluated before that nat is done so the ip would be the ip that was being assigned to the fa 0/1 interface not the value after the nat. If you were put in the address assigned by the dhcp and put the log option on you might see the packets.
 
Upvote 0 Downvote
MartinWilson

MartinWilson

Honorable
Aug 13, 2013
154
0
10,760
Remove those NAT statements relating to '20' & '21' and see what happens:

ip nat inside source static tcp 10.10.10.2 20 x.x.x.x 20 extendable
ip nat inside source static tcp 10.10.10.2 21 x.x.x.x 21 extendable
ip nat inside source static tcp 10.10.10.2 20 interface FastEthernet0/1 20
ip nat inside source static tcp 10.10.10.2 21 interface FastEthernet0/1 21
 
Upvote 0 Downvote
Solution
You must log in or register to reply here.

TRENDING THREADS

Latest posts

Moderators online

Share this page

COMPANY
RESOURCES
FOLLOW
Top Bottom