Microsoft
Software
Hardware
Network
Question : Problem: Allow Active and Passive FTP connections on Cisco 806
Recently a few clients have been complaining that they aren't able to connect to our FTP server. This FTP server has been successfully up and running behind a Cisco 806 router for more than a year, so I intitially thought it was just a few cases of user error. However, after testing it myself, I have discovered that Active connections go through the logon and authorization processes, but never receive a directory listing. Setting the FTP client to Passive (or PASV mode) eliminates the problem, and allows uploading of files as desired.
The simple solution seems to be "Tell your clients to set their FTP software to PASV" but more often than not we actually have to explain to them what FTP is in the first place. Also, I am curious as to why this problem has just popped up now, after months of it not being an issue.
My questions are:
(1) Why did this just show up all of a sudden? Is it coincidence, or could a recent round of Windows updates on the server just prior to all the complaints be the culprit? The router config has not been changed, and to make sure of that, I loaded a 6 month old backup copy with the same results.
(2) Can / should I configure the router to allow Active and Passive (PASV) connections to our FTP server? If so, I need help with the config. If allowing Active and Passive connections is a bad idea, an explaination of why it's not a good thing to do.
I think I have even found what may be a possible solution at Cisco, but I have no idea how to implement it. Here is the Cisco page:
http://www.cisco.com/en/US
/products/
sw/iosswre
l/ps1835/
p
roducts_co
mmand_summ
ary_chapte
r09186a008
00801b6.ht
ml#1017560
Details of the equipment involved:
FTP Server = Win2k Server, IIS 5.0, current on all updates and service packs.
Router = Cisco 806 with IOS ver 12.2(11)t
Feel free to comment on, or suggest better alternatives, but here is the current config with some obvious details removed:
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname ############
!
logging buffered 100000 debugging
enable secret 5 ###################.
!
ip subnet-zero
no ip source-route
no ip domain lookup
ip host ftp_out ###.###.###.65
ip name-server ###.###.###.150
ip name-server ###.###.###.130
ip dhcp excluded-address 192.168.123.###
ip dhcp excluded-address 192.168.123.###
ip dhcp excluded-address 192.168.123.###
ip dhcp excluded-address 192.168.123.###
ip dhcp excluded-address 192.168.123.###
ip dhcp excluded-address 192.168.123.### 192.168.123.###
!
ip dhcp pool CLIENT
import all
network 192.168.123.0 255.255.255.0
default-router 192.168.123.254
dns-server ###.###.###.1 ###.###.###.2
lease 8
!
ip inspect name mysite cuseeme
ip inspect name mysite fragment maximum 256 timeout 1
ip inspect name mysite ftp
ip inspect name mysite h323
ip inspect name mysite http
ip inspect name mysite netshow
ip inspect name mysite rcmd
ip inspect name mysite realaudio
ip inspect name mysite rtsp
ip inspect name mysite smtp
ip inspect name mysite sqlnet
ip inspect name mysite streamworks
ip inspect name mysite tcp
ip inspect name mysite tftp
ip inspect name mysite udp
ip inspect name mysite vdolive
ip inspect name GO ftp alert on audit-trail on timeout 300
!
interface Ethernet0
ip address 192.168.123.254 255.255.255.0
ip access-group 51 in
ip nat inside
ip inspect mysite in
no cdp enable
hold-queue 32 in
hold-queue 100 out
!
interface Ethernet1
mac-address ####.####.####
ip address ###.###.###.65 ###.###.###8.0
ip access-group 101 in
ip nat outside
ip inspect GO in
no cdp enable
!
ip local pool default 192.168.123.### 192.168.123.###
ip nat inside source list 1 interface Ethernet1 overload
ip nat inside source static tcp 192.168.123.### 21 interface Ethernet1 21
ip nat inside source static tcp 192.168.123.### 20 interface Ethernet1 20
ip classless
ip route 0.0.0.0 0.0.0.0 ###.###.###.254
no ip http server
!
logging 192.168.123.###
access-list 1 permit 192.168.123.0 0.0.0.255
access-list 51 deny 192.168.123.###
access-list 51 deny 192.168.123.###
access-list 51 deny 192.168.123.###
access-list 51 deny 192.168.123.###
access-list 51 deny 192.168.123.###
access-list 51 permit any
access-list 101 deny ip 192.168.123.0 0.0.0.255 any
access-list 101 permit tcp any host ###.###.###.65 eq ftp
access-list 101 permit tcp any host ###.###.###.65 eq ftp-data
access-list 101 permit icmp any any administratively-prohibite
d
access-list 101 permit icmp any any echo
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any packet-too-big
access-list 101 permit icmp any any traceroute
access-list 101 permit icmp any any unreachable
access-list 101 deny icmp any any
access-list 101 deny tcp any any
access-list 101 deny udp any any
access-list 101 deny ip any any
no cdp run
!
line con 0
exec-timeout 120 0
stopbits 1
line vty 0 4
no login
no exec
!
scheduler max-task-time 5000
end
Answer : Problem: Allow Active and Passive FTP connections on Cisco 806
Points refunded and question closed.
Netminder
EE Admin
Random Solutions
Problem: Intel Fans
Problem: Simple error with my bluetooth connection between my cellphone and my macbook pro
Problem: What can cause computer to self test, post and then go to blank screen, blinking cursor? Please help~~
Problem: 'Bad or failing video memory' doesn't load my desktop on Toshiba Satellite laptop.
Problem: SMS 2003, Automatic site code discovery was unsuccessful
Problem: WD Data Lifeguard, (error) Unable to load OS on new drive
Problem: Modem Driver Problem
Problem: Solaris 8 Mouse Speed
Problem: Apple/Mac Mini Disk Utility Restore - can not drag a drive-partition to restore line
Problem: Dell PowerEdge 4600 - How to recognize an existing RAID without data loss
