I had a customer that was able to establish what people refer to the command connection (Port 21) and enter there username and password but not transfer files, thats refered to the data connection (Port 20) portion. The root cause for this not working was a misconfigured ACL.
Throughout this writeup, we will use Diagram 1 and telnet connections as they are tcp based just like FTP to explain the concept.
 |
| Diagram 1 |
CORE_NJ_WAN_1#show ip access-lists test
Extended IP access list test
10 permit tcp any any established (207 matches)
30 permit eigrp any any (4083 matches)
40 permit icmp any any echo-reply (15 matches)
50 permit icmp any any echo (60 matches)
Now pay close attention to seq#10, what does it mean? It means that any connection that is not initiated outbound first will not be allowed inbound. If you were to try to telnet from Dist_Data_Center_NJ to CORE_VA_WAN_1 it would NOT WORK because of seq#10.
If you try this in reverse, telnet from CORE_VA_WAN_1 to Dist_Data_Center_NJ it would work because you initiated an outbound connection first.
Now think about how FTP works, would this allow an ftp connection to work properly from users connected to CORE_VA_WAN_1? No. It will only allow you to use port21(connection portion) but not the data portion since the FTP server is going to initiate a connection back to CORE_VA_WAN_1.
So how do you fix this? You will need to update your ACL with the ip address of your ftp server.
CORE_NJ_WAN_1#show ip access-lists test
Extended IP access list test
10 permit tcp any any established (330 matches)
30 permit eigrp any any (4716 matches)
40 permit icmp any any echo-reply (20 matches)
50 permit icmp any any echo (60 matches)
60 permit tcp host X.X.X.X any (4 matches) <--------- What ever the ip address is of your ftp server. You can also get more granular and permit just port 20 and 21. In our cause this server does more then ftp.
Let test this all out now.
Before the ACL change:
Dist_Data_Center_NJ#telnet 200.200.200.200 /source-interface loopback 100
Trying 200.200.200.200 ...
% Destination unreachable; gateway or host down
CORE_VA_WAN_1#telnet 100.100.100.100 /source-interface loopback 200
Trying 100.100.100.100 ... Open
After the ACL change:
Dist_Data_Center_NJ#telnet 200.200.200.200 /source-interface loopback 100
Trying 200.200.200.200 ... Open
CORE_VA_WAN_1#telnet 100.100.100.100 /source-interface loopback 200
Trying 100.100.100.100 ... Open
How did I discover this was the issue? If you put a sniffer up you will see FTP response codes that guide you in certain directions. check the following link, FTP Response Codes. In my case I was seeing a code of 425 Can't open data connection. I would love to put up the capture for refrence but it require alot of editing because the real ip's and username and passwords are displayed.
No comments:
Post a Comment