NAT translating FTP port

[agermoses]

Hi Guys. I am trying to map my ftp service out to my public ip.
I have windows 2008 running my FTP server on an internal IP of 192.168.1.175.

I had translated these

ip nat inside source static tcp 192.168.1.175 20 212.159.***.*** 20 extendable
ip nat inside source static tcp 192.168.1.175 21 212.159.***.*** 21

and thought this ACL would do it..

access-list 101 permit tcp any host 212.159.***.*** eq ftp
access-list 101 permit tcp any host 212.159.***.*** gt 1024
access-list 101 permit ip any any

!
!
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
dsl operating-mode auto
!
interface FastEthernet0
switchport access vlan 2
speed 100
pppoe enable group global
pppoe-client dial-pool-number 10
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Dot11Radio0
description AGETNET_DOMAIN
no ip address
ip nat inside
ip virtual-reassembly
no dot11 extension aironet
!
encryption mode ciphers tkip
!
ssid AGETNET_DOMAIN
!
ssid AgerNet-Domain
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
54.0
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Vlan1
description INTERNAL NETWORK
no ip address
ip virtual-reassembly
bridge-group 1
!
interface Vlan2
description WAN LINK
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip virtual-reassembly
pppoe enable group global
pppoe-client dial-pool-number 10
!
interface Dialer1
ip address negotiated
ip access-group 101 in
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 10
ppp authentication chap callin
ppp chap hostname ******
ppp chap password 0 ******
!
interface BVI1
description $ES_LAN$
ip address 192.168.1.1 255.255.255.0
ip access-group 101 out
ip nat inside
ip virtual-reassembly
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 0.0.0.0 0.0.0.0 FastEthernet0
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface Dialer1 overload
ip nat inside source static 192.168.1.175 interface Dialer1
ip nat inside source static tcp 192.168.1.175 20 212.159.***.*** 20 extendable
ip nat inside source static tcp 192.168.1.175 21 212.159.***.*** 21 extendable
!
ip access-list extended NAT
permit ip 192.168.1.0 0.0.0.255 any
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 10 permit any
access-list 10 deny any log
access-list 101 permit tcp any host 212.159.***.*** eq ftp
access-list 101 permit tcp any host 212.159.***.*** gt 1024
access-list 101 permit ip any any

I have tried changing the access list to suit ports 21 and 20 but have changed it as above as I was trying passive.

Im obviously getting it wrong somewhere and have been at it a little while. Can anyone help please!!

thanks

 

[imagoon]

What exactly is failing, is FTP not connecting at all? Is it connecting and transfer failed? NAT and FTP isn't for the feint of heart also.

You will have to NAT a range of ports >1024. You will also need to configure FTP to aware of this range and also that it is using NAT. Otherwise the commands will never complete.

 

[RadiclDreamer]

If you are running an ASA you could turn on FTP inspection. Or you could try doing FTP without passive being turned on.

 

[agermoses]

What exactly is failing, is FTP not connecting at all?

I cannot browse to the ftp://212.159.***.*** address from my browser. I get "Firefox can't establish a connection to the server at 212.159.***.***" message.

I also see matches on my access list... this access list is applied inbound on my dialer1 interface.

Extended IP access list 101
10 permit tcp any host 212.159.***.*** eq ftp (72 matches)
20 permit tcp any host 212.159.***.*** gt 1024 (788879 matches)
30 permit ip any any (141791 matches)

You will have to NAT a range of ports >1024.

I know withing MS2008 IIS which is managing my FTP server I can go into the firewall settings. Which looks like this..

These fields require a port range > 1024 so if i enter a port range such as, 1100 - 1105 here... and set the ip address of firewall to be the IP of my router 192.168.1.1 ....

than go and add statements like...
ip nat inside source static tcp 192.168.1.175 1100 212.159.***.*** 20 extendable
ip nat inside source static tcp 192.168.1.175 1105 212.159.***.*** 21

would that work?

Thanks for your help with this.

 

[agermoses]

tried that and it did not work.

 

[lif_andi]

You'll have to make a static translation from the outside IP address towards the inside IP address on the specific port you are using.

Something like:

ip nat inside source static tcp 192.168.1.175 21 212.159.x.x 21

which would effectively create a translation for all hits on that port for the same port on the inside server, and vice versa.

Second you MUST fix that access-list, since it is essentially allowing ALL traffic into your network.

This:
access-list 101 permit ip any any
renders all other permit statements in that list useless. If this router is facing the internet, you pretty much have the worst security possible. Remove that statement if you care at all. Also you don't have to have the access-group on both interfaces. Allow it in on your inside interface, and that's it. Allow only what you want to have access into your network on a SEPERATE access-list and trust the implicit deny at the end.

This:
access-list 102 permit tcp any host 212.159.***.*** eq ftp
is enough to allow port ftp access to your router, which will then translate it to your inside ftp server, without actually stopping on your router.

Use inspection to setup permissions for return traffic, and have the firewall on the outside interface, inspecting out.

 

[agermoses]

Thanks, Will try what you suggested.

you are right, This is not secure at the moment. I have been trying all sorts to open this access including permiting all. The network itself is all virtual so not a real risk. Thanks though

 

[Mark R]

The problem with FTP is that it is not NAT friendly (at least not on the server side).

Normal FTP is not compatible with client side NAT, so most FTP servers these days need to be set up for Passive mode (which can be made to work through a client NAT)

The problem is that even passive mode really doesn't like NAT.

1. Client connects to port 21 on server (needs port 21 open on router)
2. Client requests passive data transfer
3. Server responds telling client to reconnect on port X
4. Client connects to port X (requires port X to be open on router)
5. Data transferred

You will need to configure your FTP server to use passive ports within a suitable range, and ALSO open those ports on your router so that they NAT to your server

 

[agermoses]

this is where I get confused.
When you say open those ports... would that simply be a case of adding something like
permit tcp any host 212.159.***.*** gt 1024

Add that to ACL 101 which is in on my WAN link?

 

[agermoses]

Ok so using the FTP firewall manager I have set the range for data to be 1025 - 2000 and my firewall IP as the router since Im using ACL . so thats 192.168.1.1.

I tried opening the ports with the command above but no luck. D:

 

[imagoon]

I cannot browse to the ftp://212.159.***.*** address from my browser. I get "Firefox can't establish a connection to the server at 212.159.***.***" message.

I also see matches on my access list... this access list is applied inbound on my dialer1 interface.

I know withing MS2008 IIS which is managing my FTP server I can go into the firewall settings. Which looks like this..

These fields require a port range > 1024 so if i enter a port range such as, 1100 - 1105 here... and set the ip address of firewall to be the IP of my router 192.168.1.1 ....

than go and add statements like...
ip nat inside source static tcp 192.168.1.175 1100 212.159.***.*** 20 extendable
ip nat inside source static tcp 192.168.1.175 1105 212.159.***.*** 21

would that work?

Thanks for your help with this.

Try something like filezilla and then post the FTP log. As mentioned FTP is not NAT friendly and takes some config work. Using a real FTP client and not a web browser will help you find the issue.

 

[agermoses]

Status: Connecting to 212.175.***.***:21...
Error: Connection timed out
Error: Could not connect to server

 

[Railgun]

The log in the FW will tell you everything you want to know. You don't need the server side logs for that. With all the suggestions on the FW config, start there.

Also, I don't see the need to specify the NAT statemens like that. That's what the ACL is for. Just my 2c and unless a security team is dictating it, I'd skip it.

 

[imagoon]

There is a lot to check. First the router may not let you hairpin to the outside IP from inside. You often need to check from another connection. Connection timed out of course means port 21 is not working. Can you connect to the inside IP address sucessfully?

 

[agermoses]

yeah i can browse to 192.168.1.175:21 from a machine I have .123

 

[alkemyst]

I'd take the FTP part out of the equation and just attempt a simple translation first. If that still fails then you know something is going on.

Also make sure your ISP is not blocking those ports.

 

[imagoon]

yeah i can browse to 192.168.1.175:21 from a machine I have .123

Have you verified that hairpining is on? On the ASA you typically need a command set to allow data to come out a port it came in on for example.