Question : Problem: Allow Active and Passive FTP connections on Cisco 806

Recently a few clients have been complaining that they aren't able to connect to our FTP server. This FTP server has been successfully up and running behind a Cisco 806 router for more than a year, so I intitially thought it was just a few cases of user error. However, after testing it myself, I have discovered that Active connections go through the logon and authorization processes, but never receive a directory listing. Setting the FTP client to Passive (or PASV mode) eliminates the problem, and allows uploading of files as desired.

The simple solution seems to be "Tell your clients to set their FTP software to PASV" but more often than not we actually have to explain to them what FTP is in the first place. Also, I am curious as to why this problem has just popped up now, after months of it not being an issue.

My questions are:

(1) Why did this just show up all of a sudden? Is it coincidence, or could a recent round of Windows updates on the server just prior to all the complaints be the culprit? The router config has not been changed, and to make sure of that, I loaded a 6 month old backup copy with the same results.

(2) Can / should I configure the router to allow Active and Passive (PASV) connections to our FTP server? If so, I need help with the config. If allowing Active and Passive connections is a bad idea, an explaination of why it's not a good thing to do.

I think I have even found what may be a possible solution at Cisco, but I have no idea how to implement it. Here is the Cisco page:

http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_command_summary_chapter09186a00800801b6.html#1017560

Details of the equipment involved:
FTP Server = Win2k Server, IIS 5.0, current on all updates and service packs.
Router = Cisco 806 with IOS ver 12.2(11)t

Feel free to comment on, or suggest better alternatives, but here is the current config with some obvious details removed:

!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname ############
!
logging buffered 100000 debugging
enable secret 5 ###################.
!
ip subnet-zero
no ip source-route
no ip domain lookup
ip host ftp_out ###.###.###.65
ip name-server ###.###.###.150
ip name-server ###.###.###.130
ip dhcp excluded-address 192.168.123.###
ip dhcp excluded-address 192.168.123.###
ip dhcp excluded-address 192.168.123.###
ip dhcp excluded-address 192.168.123.###
ip dhcp excluded-address 192.168.123.###
ip dhcp excluded-address 192.168.123.### 192.168.123.###
!
ip dhcp pool CLIENT
import all
network 192.168.123.0 255.255.255.0
default-router 192.168.123.254
dns-server ###.###.###.1 ###.###.###.2
lease 8
!
ip inspect name mysite cuseeme
ip inspect name mysite fragment maximum 256 timeout 1
ip inspect name mysite ftp
ip inspect name mysite h323
ip inspect name mysite http
ip inspect name mysite netshow
ip inspect name mysite rcmd
ip inspect name mysite realaudio
ip inspect name mysite rtsp
ip inspect name mysite smtp
ip inspect name mysite sqlnet
ip inspect name mysite streamworks
ip inspect name mysite tcp
ip inspect name mysite tftp
ip inspect name mysite udp
ip inspect name mysite vdolive
ip inspect name GO ftp alert on audit-trail on timeout 300
!
interface Ethernet0
ip address 192.168.123.254 255.255.255.0
ip access-group 51 in
ip nat inside
ip inspect mysite in
no cdp enable
hold-queue 32 in
hold-queue 100 out
!
interface Ethernet1
mac-address ####.####.####
ip address ###.###.###.65 ###.###.###8.0
ip access-group 101 in
ip nat outside
ip inspect GO in
no cdp enable
!
ip local pool default 192.168.123.### 192.168.123.###
ip nat inside source list 1 interface Ethernet1 overload
ip nat inside source static tcp 192.168.123.### 21 interface Ethernet1 21
ip nat inside source static tcp 192.168.123.### 20 interface Ethernet1 20
ip classless
ip route 0.0.0.0 0.0.0.0 ###.###.###.254
no ip http server
!
logging 192.168.123.###
access-list 1 permit 192.168.123.0 0.0.0.255
access-list 51 deny 192.168.123.###
access-list 51 deny 192.168.123.###
access-list 51 deny 192.168.123.###
access-list 51 deny 192.168.123.###
access-list 51 deny 192.168.123.###
access-list 51 permit any
access-list 101 deny ip 192.168.123.0 0.0.0.255 any
access-list 101 permit tcp any host ###.###.###.65 eq ftp
access-list 101 permit tcp any host ###.###.###.65 eq ftp-data
access-list 101 permit icmp any any administratively-prohibited
access-list 101 permit icmp any any echo
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any packet-too-big
access-list 101 permit icmp any any traceroute
access-list 101 permit icmp any any unreachable
access-list 101 deny icmp any any
access-list 101 deny tcp any any
access-list 101 deny udp any any
access-list 101 deny ip any any
no cdp run
!
line con 0
exec-timeout 120 0
stopbits 1
line vty 0 4
no login
no exec
!
scheduler max-task-time 5000
end

Answer : Problem: Allow Active and Passive FTP connections on Cisco 806

Points refunded and question closed.

Netminder
EE Admin

Random Solutions

Problem: intel Wirelss WiFi 4965AGN will not recognize/connect to N class, despite having that feature

Problem: missing video sounds

Problem: the disk in drive d cannot be formatted

Problem: Can I run Blackberry Professional Software on WinXP ?

Problem: How do you make a RAMDrive?

Problem: new iPaq 6915 question - can;t turn the bloody screensaver off!

Problem: Can you run 2 sound cards on one XP machine?

Problem: Looking for a portable wireless access point for use with hotel networks

Problem: Intel D875PBZ motherboard will not start when an ATI All in wonder AGP card, or an ATI TV Wonder PCI card is installed, but works flawlessly with straight AGP card.

Problem: PC RS232 to USB adapter