[c-nsp] passive ftp static nat
Dan Letkeman
danletkeman at gmail.com
Fri Apr 10 11:30:08 EDT 2009
Hello,
I'm having trouble logging into our ftp server from an external
source. It works when you set the client to active mode, but passive
mode always hangs.
2821, IOS Firewall
Relevant config:
ip inspect name SDM_LOW ftp
interface GigabitEthernet0/0
ip address 10.10.10.1 255.255.255.252
ip nat inside
!
!
interface FastEthernet0/0/3
description Internet
switchport access vlan 800
bandwidth 10000
no cdp enable
!
!
interface Vlan800
description Internet
bandwidth 10000
ip address 64.x.x.1 255.255.255.224
ip access-group firewall in
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip inspect SDM_LOW out
ip virtual-reassembly
no mop enabled
!
!
ip nat pool 152 64.x.x.1 64.x.x.1 netmask 255.255.255.224
ip nat inside source list internet-152 pool 152 overload
ip nat inside source static tcp 172.16.0.24 21 64.x.x.1 21 extendable
ip nat inside source static tcp 172.16.0.24 80 64.x.x.1 80 extendable
!
ip access-list extended firewall
permit tcp any host 64.x.x.1 eq ftp
deny ip any any log
!
ip access-list extended internet-152
permit tcp host 172.16.0.24 any
I have tried adding: "permit tcp any host 64.x.x.1 gt 1024
established" to the firewall acl, but it still does not seem to
connect from a passive ftp client.
Dan.
More information about the cisco-nsp
mailing list