Question on FTP Server thru NAT on a cisco router

[usmc666]

I've never actually used nat all that much. I've got my cisco 2621 set up natting thru my cable modem, how do I forward FTP coming in from the outside to the private IP of my ftp server? I've checked CCO and havent' found much help.

Dan

 

[FFC]

Just set up a static translation for the inside box. If your cable modem provide is doing DHCP then you'll have to change it regularly otherwise it will just work. (Providing you don't block it with an access list).

 

[usmc666]

Okay thanks, i'll try this

 

[usmc666]

Okay i'm running into trouble here: is this right so far?

interface FastEthernet0/0
ip address dhcp
ip nat outside
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.0.1 255.255.255.0
ip nat inside
duplex auto
speed auto
!
ip nat pool nat 66.56.196.6 66.56.196.6 netmask 255.255.255.0
ip nat inside source list 1 pool nat overload
ip classless
ip route 0.0.0.0 255.255.255.255 FastEthernet0/0
no ip http server
ip pim bidir-enable
!
access-list 1 permit 192.168.0.0 0.0.0.255

is the start of the command router(config)#ip nat inside
or is it outside...?

 

[Santa]

I am not an expert at configuring Cisco NAT Pools on a home cable setup but I would double check your IP NAT Pool entry. Since your cable modem will sit between your router and the provider line I don't think you will need to assign a pool or at least not that external IP pool.

I think you should be fine without assigning a pool at all unless you are given multiple static IPs from the Cable modem company. Without having static IPs I think Cisco NAT pools are hard to configure or at the very least I think FFC mentioned you have to reconfigure off and on.

Your configurations look fine to me though but I would just double check on your need for the NAT pool statment. If your requests to and from the outside network works without it I would just leave it out just in case you lose your IP lease.

I have/had a static pool setup at here but we had a block of static IPs that we worked with which is why we implemented to NAT pool.

LMK if I am incorrect in these assumptions.

 

[usmc666]

Well it works with it so I'm going to leave it for now. My real question is what do I have to do to direct FTP from the public IP to the private IP.

 

[me19562]

Try this:

ip nat inside source list 101 interface FastEthernet0/0 overload
ip nat inside source static tcp 192.168.0.XXX 21 66.56.196.6 21 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0.100
no ip http server
!
access-list 112 permit tcp any host 66.56.196.6 eq ftp


Good Luck

 

[me19562]

oops, try this one:

ip nat inside source list 101 interface FastEthernet0/0 overload
ip nat inside source static tcp 192.168.0.XXX 21 66.56.196.6 21 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
no ip http server
!
access-list 112 permit tcp any host 66.56.196.6 eq ftp

 

[FFC]

me19562,

You show a source list 101 and don't include it and specicy aan access list 112 and don't apply it.

usmc666 you need the ip nat inside source static command to bind and inside to an outside address. Then just ftp to he outside address and the connection should be made.

Thats a strange looking static route you have there as well.

 

[me19562]

Ooops, sorry a little bit of hurry, check this one:

ip nat inside source list 101 interface FastEthernet0/0 overload
ip nat inside source static tcp 192.168.0.XXX 21 66.56.196.6 21 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
no ip http server
!
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
access-list 112 permit tcp any host 66.56.196.6 eq ftp

 

[Damaged]

<< Thats a strange looking static route you have there as well. >>



I hate, absolutely HATE static routes to an interface instead of the next hop IP. Mostly because it's a pain in the ass if you ever have to move them to a different device. Plus I just find it harder to look at. Just mho though.

 

[usmc666]

Ip address is dhcp so the ip may change but the interface won't...now see why i used the interface?

 

[usmc666]

<< me19562,


Thats a strange looking static route you have there as well. >>



Why? I'm just pointing anypacket with an unknown dest to the interface the cable modem is set up on.

 

[me19562]

Yeah

 

[spidey07]

<< Why? I'm just pointing anypacket with an unknown dest to the interface the cable modem is set up on >>


Not really.

Adding a static route to an interface is considered VERY bad practice. The router has no real next hop address and conversely no layer2 address to send the frame to. it will simply arp and hope somebody proxies for the address. real messy. take a look at your arp table sometime. I bet you'll have a crap load of entries

I realize what you're trying to do, but Damaged has a very good point. Isn't there some way to get a gateway from DHCP?

 

[me19562]

thx for the tip, I'm gonna try to not use anymore that kind of routes. If he make a trace, he can get next hop router and then use
that ip for the static route?