[afnog] Fw: Port forwarding FTP

Benjamin Cobblah cbnayai at yahoo.co.uk
Thu Oct 7 08:19:36 UTC 2010 


Dear Mark,

I  have 2 fast ethernet ports; fa0 faces the public and fa1 faces my lan
I have applied this access list on the fa0 interface

I created a static entry for the natting
 ip nat inside source static tcp X.X.X.X 20 Y.Y.Y.Y 20  extendable 
 ip nat inside source static tcp X.X.X.X 21 Y.Y.Y.Y 21 extendable 
ip nat inside source static tcp  X.X.X.X 22 Y.Y.Y.Y 22 extendable

then i created the access list as follows;
access-list 101 remark permit ftp
 access-list 101 permit tcp X.X.X.0 0.0.0.255 any eq ftp-data 
 access-list 101 permit tcp X.X.X.0 0.0.0.255 any eq ftp 
 access-list 101 remark permit ssh 
 access-list 101 permit tcp X.X.X.0 0.0.0.255 any eq 22

then i applied it on the fa0 (external facing router interface)
interface FastEthernet0/0
 description ***ISP LINK ***
 ip address Y.Y.Y.Y 255.255.255.252
 ip nat outside

Both ftp and sftp still do work from outside. I need help on this one.

Best regards,

Benjamin




________________________________
From: Mark Tinka <mtinka at globaltransit.net>
To: Benjamin Cobblah <cbnayai at yahoo.co.uk>
Cc: afnog <afnog at afnog.org>
Sent: Wed, 6 October, 2010 18:16:10
Subject: Re: [afnog] Port forwarding FTP

On Wednesday, October 06, 2010 11:38:18 pm Benjamin Cobblah 
wrote:

> Dear All,

Hello Benjamin.

> I know this might be the lamest question I have ever
>  asked...

No question is lame, only the one you don't ask :-).

> Scenario.
> I have an internal ftp on my lan and need someone to
> upload some data into it from across the globe.

If you can provide the public addresses to target, we could 
test.

> This is my conf on my router
> ****************************************************
> ip nat inside source static tcp X.X.X.X 20 Y.Y.Y.Y 20
> extendable ip nat inside source static tcp X.X.X.X 21
> Y.Y.Y.Y 21 extendable ip nat inside source static tcp
> X.X.X.X 22 Y.Y.Y.Y 22 extendable

This looks pretty standard.

"X.X.X.X" should be your internal IP address, while 
"Y.Y.Y.Y" your external address (the one on which you've 
configured 'ip nat outside').

> access-list 101 remark permit ftp
> access-list 101 permit tcp X.X.X.0 0.0.0.255 any eq
> ftp-data access-list 101 permit tcp X.X.X.0  0.0.0.255
> any eq ftp access-list 101 remark permit ssh
> access-list 101 permit tcp X.X.X.0 0.0.0.255 any eq 22

Where have you applied this filter? Not enough information 
to go on, but it could be your problem.

Cheers,

Mark.


      
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://afnog.org/pipermail/afnog/attachments/20101007/67ef833e/attachment.html>

More information about the afnog mailing list