[afnog] Fw: Port forwarding FTP

Patrick Okui pokui at psg.com
Thu Oct 7 09:26:16 UTC 2010 

On 7 Oct, 2010, at 11:19 AM, Benjamin Cobblah wrote:

>
> Dear Mark,
>
> I  have 2 fast ethernet ports; fa0 faces the public and fa1 faces my  
> lan
> I have applied this access list on the fa0 interface

You need ip nat inside on interface fa1 (is that fa0/1 or 1/0 or ?)

>
> I created a static entry for the natting
>  ip nat inside source static tcp X.X.X.X 20 Y.Y.Y.Y 20  extendable
>  ip nat inside source static tcp X.X.X.X 21 Y.Y.Y.Y 21 extendable
> ip nat inside source static tcp  X.X.X.X 22 Y.Y.Y.Y 22 extendable
>
> then i created the access list as follows;
> access-list 101 remark permit ftp
>  access-list 101 permit tcp X.X.X.0 0.0.0.255 any eq ftp-data
>  access-list 101 permit tcp X.X.X.0 0.0.0.255 any eq ftp
>  access-list 101 remark permit ssh
>  access-list 101 permit tcp X.X.X.0 0.0.0.255 any eq 22

This acl looks backwards to me. If your goal is to only allow ssh and  
ftp TO your internal server then:

1. the source should be any,
2. the destination IP should be your public IP (y.y.y.y)

As written your acl allows x.x.x.x to connect to any ftp or ssh server  
(not the other way round). As Mark suggested, start by testing without  
the acl then add it when you are sure the NAT statements are working.

>
> then i applied it on the fa0 (external facing router interface)
> interface FastEthernet0/0
>  description ***ISP LINK ***
>  ip address Y.Y.Y.Y 255.255.255.252
>  ip nat outside

I do not see an acl applied to this interface.

>
> Both ftp and sftp still do work from outside. I need help on this one.

I think you mean do NOT work from outside.

Again, as Mark suggested, start by removing the acl and also ensure  
you have "ip nat inside" on the fast ethernet connected to your LAN.

--
patrick
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 195 bytes
Desc: This is a digitally signed message part
URL: <http://afnog.org/pipermail/afnog/attachments/20101007/c336078e/attachment.pgp>

More information about the afnog mailing list