cancel
Showing results for 
Search instead for 
Did you mean: 

Cisco Access Control List.

LukeAger
Grafter
Posts: 121
Thanks: 5
Registered: ‎15-02-2012

Cisco Access Control List.

Hi, Do we have any Cisco engineers on here?
I am having trouble with my ACL and for the life of me, dont seem to be able to get it right.
I have an FTP server running on server 2008 set up on 192.168.1.175/24.
I can browse from other devices inside the LAN to ftp://192.168.1.175 however I can not access it externally from the WAN.
I have added the Extended ACL 101 in place which "should" allow access to ports 21 and 20 but I still cannot get through to the FTP server.  I have applied the ACL inbound on my Dialer 1 interface which is connected to Plusnet.
Any thoughts?
Quote
dot11 syslog
!
dot11 ssid AGETNET_DOMAIN
max-associations 15
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii 0
!
dot11 ssid AgerNet-Domain
authentication open
infrastructure-ssid
!
ip cef
no ip dhcp use vrf connected
!
ip dhcp pool DSL_DHCP
import all
network 192.168.1.0 255.255.255.0
dns-server 212.159.13.49 212.159.13.50
default-router 192.168.1.1
!
ip name-server 212.159.13.49
ip name-server 212.159.13.50
!
archive
log config
hidekeys
!
bridge irb
!
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
dsl operating-mode auto
!
interface FastEthernet0
switchport access vlan 2
speed 100
pppoe enable group global
pppoe-client dial-pool-number 10
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Dot11Radio0
description AGETNET_DOMAIN
no ip address
ip nat inside
ip virtual-reassembly
no dot11 extension aironet
!
encryption mode ciphers tkip
!
ssid AGETNET_DOMAIN
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.
54.0
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Vlan1
description INTERNAL NETWORK
no ip address
ip virtual-reassembly
bridge-group 1
!
interface Vlan2
description WAN LINK
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip virtual-reassembly
pppoe enable group global
pppoe-client dial-pool-number 10
!
interface Dialer1
ip address negotiated
ip access-group 101 in
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 10
ppp authentication chap callin
ppp chap hostname
ppp chap password 0
!
interface BVI1
description $ES_LAN$
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 0.0.0.0 0.0.0.0 FastEthernet0
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface Dialer1 overload
ip nat inside source static 192.168.1.175 interface Dialer1
!
ip access-list extended NAT
permit ip 192.168.1.0 0.0.0.255 any
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 101 permit tcp any host  link:csa removed  eq ftp
access-list 101 permit tcp any host link:csa removed  gt 1024
access-list 101 permit ip any any
snmp-server community public RO
snmp-server community private RW
!
bridge 1 protocol ieee
bridge 1 route ip
end

adie:green removed ip address
2 REPLIES
UD
Newbie
Posts: 2
Registered: ‎15-06-2014

Re: Cisco Access Control List.

Nat configurations isnt OK.
You have to exactly point to what IP ftp goes translated.
But the best way is to get 2x public IPs, one for your server ftp, second for internet NAT.
Allow ftp port 20 too, this is for ftp data ...
UD
dragon2611
Grafter
Posts: 283
Registered: ‎20-10-2013

Re: Cisco Access Control List.

Do you actually need to use FTP, if it's a Linux server you might be able to use something like SFTP (FTP over SSH) in it's place, which would be easier to setup as well as more secure.