FTP Port Forwarding

I am trying to open port 21 to allow my me to use my network attached storage on FTP. This worked fine before I moved to BT but I know I now need to set up DDNS - however before I do that I have to check the port is open.
I have found the TAB in the HUB manager that lets me do this and it has set the FTP option and recognised my storage unit as it is displaying the units MAC address.
However, when I check with an application such as http://canyouseeme.org/ it says that port 21 is not open and in trying it has timed out.
I can't really see what can be wrong - the BT HUB (brand new) says the port should be open, and the storage unit is powered and set up for FTP - the unit has been powered cycled and held its settings but obviously changed IP address, and still the port is not being reported as open.
Any suggestions would be welccome as I need this working very soon.
Thanks

Provided that you are NOT using a home hub 3, then you need to assign the FTP application to the address of the storage unit. This will allow port 21 to pass through the home hub firewall.
Protocol TCP
Start port address 21
End port address 21
map to local port 21
Trigger port (leave blank)
There should already be a suitable pre-defined under the "games and applications" section.
You will need to get a free DDNS account and host name from a suitable provider, like dyndns.org , and enter these details into the home hubs dynamic DNS settings.
If you are using a home hub 3, I believe that port forwarding is not working at the moment.
There are some useful help pages here, for BT Broadband customers only, on my personal website.
BT Broadband customers - help with broadband, WiFi, networking, e-mail and phones.

Similar Messages

Time capsule ftp port forwarding

Hi.
Just got a new time capsule and have discovered that the connection speed to my ftp server is MUCH slower.
I've tried playing around with port forwarding but haven't managed to get it sorted out.
I did discover during my attempts that switching the TC over to bridge mode fixed everything. Didn't want that security setup though!
Current setup is modem (bridge mode) > ethernet > time capsule (wirelessly routing via nat-dhcp)
I'm not quite sure what i'm doing with the port forwarding settings...i've tried changing the dhcp mode to manual on my mac
i've also added various ports (21,22,80, 115) to the time capsules' port settings
according to http://www.yougetsignal.com the only open port is 21
any tips?? very grateful!

You need to look carefully at how ftp gets through NAT.. and if the ftp client can open ports itself .. which way are you going, out or in?
Is the client active or passive ftp? You think ftp is this simple protocol but there are variations and some handle NAT better than others.. it is also going to need specific ports opened higher up the range.
Some clients allow you to dictate the port and others open ports at random.
See the info here.
http://slacksite.com/other/ftp.html

AEBS/802.11n@7.3.1= no port forwarding on port 21 (FTP) but 7.2.1 does!

HI guys, this is of interest to those of you with firmware 7.3.1 on your  Airport Extreme Base Station 802.11n (AEBSn) that have been unsuccessful getting FTP port forwarding (port mapping) to work (that is with PORT 21 mainly.
After some frustrating days on weekend with issues with APXn and TC and this AEBSn, I have found that *_falling back to firmware 7.2.1 for the AEBSn allows the port forwarding for FTP (port 21) to work ok.*_
Note that at firmware 7.3.1, most uncommon ports are forwarded ok, For example Vuze random ports for BT incoming such as port 43434 or what ever you use are mapped ok at firmware 7.3.1.
However ports such as 20 and 21 (FTP) in ver7.3.1 are not forwarded at all. I don't know why.
So as a workaround for port forwarding, using AEBSn firmware ver7.2.1 works fine.
(use *airport utility/base station/upload firmware* while connected to the broadband and you get a list of available firmware for that airport device)
I have this working as the main router for ADSL on a 5Ghz 802.11n network with a time capsule (at firmware 7.3.1 ) and an airport express 802.11n (APXn) at firmware 7.3.1.
Please post if you have been able to get FTP port forwarding (port 21) aka port mapping working on an AEBSn at firmware 7.3.1.
I hope there is an update soon for the newer airports as they are not as reliable as the previous versions IMHO.
w

Hi,
I have the same problem. When I downgrade to 7.2.1 FTP and VPN works fine. But then I have a problem with stablility of the AEBS. I can not believe that Apple is not able to fix this problem. Have you guys any issues with stability problem running 7.2.1 I need a stable system as we running a kerio mailserver. Just in that moment I can not access the mail server as the internet is down again. Hope anybody has a solution for this.

Time Capsule Does Not Port Forward FTP Ports

Hey there,
I recently purchased a Time Capsule, and I found out that while it fixes the NAT-PMP bug found in my previous AirPort Extreme Base Station (Gigabit-N), it introduces a new problem which makes it refuse to forward port 21 properly.
It seems to me that the Time Capsule has some sort of FTP server built in, and is either enabled but closes connection on client connection, or disabled but still listens for client connection.
This message is what I get when I connect to my IP via FTP from the WAN side (FTP port forwarded to a local machine with an IP 10.0.0.8):
421 Service not available, remote server has closed connection.
When it is accessed from the LAN of course, I can connect to 10.0.0.8 with no problem. However, what is interesting is if I connect to the Time Capsule via FTP I get this as well:
421 Service not available, remote server has closed connection.
Thus, I am 100% certain that the FTP message I see when I connect from WAN is from the Time Capsule instead of the machine I port forwarded to.
Apple needs to fix this annoying problem and at the same time fixes some VPN issues I'm having with my Nortel VPN client (4.68). It was all working when I had the AirPort Extreme Base Station.

I am having a problem establishing an FTP session that is started with my FTP Client (CuteFTP) on my local network and attempting to connect to an FTP Server with one of my hosting providers. My first few attempts used FTPS (Secure FTP) as that is what I typically use when transferring FTP packets over the net. Well, this didn't work so I thought maybe the Time Capsule had a problem inspecting the encrypted packets so I switched to standard clear-text FTP just to see if the Time Capsule handles FTP session management functions correctly. This didn't work either. I'm using PASV FTP and have never had a problem before with my CISCO Router or with another consumer-based NAT router. I don't believe that the Server on the Internet gets the initial request on port 21 as I believe the Time Capsule is not allowing the packet to pass and my FTP Client spits back an error message : "Couldn't access FTP service " "Connection Failed". I have also used "Terminal" and initiated the ftp utility and attempted to connect to the same server and receive the following error message : "421 Service not available, remote server has closed connection.". I have attempted to put my computer in the DMZ by using the Default Host feature on the Time Capsule but that resulted in the same errors. I believe that I have tried most of the settings available on the Time Capsule to attempt to get this to work but no luck yet. If the packet is getting through to the server and the response back on the current ephemeral port is not getting through the Time Capsule I'm really hoping the solution is not having to port map all ephemeral ports as this is in the tens of thousands. Has anyone successfully established an FTP Session (Secure or Not) from your local client through the Time Capsule to a Server on the Internet. If so, could you help by providing any Time Capsule settings that were required for this to function properly....Thanks in Advance.
Note: I have attempted to ftp to several different public ftp servers on the Internet and get the same error results. I have no problems ftping to local serverson my local network.

How do I set up my Belkin router to forward ftp port to macMini?

I am trying to set up my spare macMini (non-intel) as an ftp server, but I am not able to connect to the ftp server (office) from a remote location with my MacBook Pro (home). I have tried to make the right settings as below:
1. forwarded ports 20 and 21 on my Belkin router to the private IP of my macMini (192.168.2.15)
2. set up a dynamic dns account xxx.dyndns.org so that this domain is updated with the current public IP
3. set Sharing Preferences to allow ftp access and turned off the Firewall
I think the port forwarding info is not correct because it does connect if I use the DMZ setting and hard code the public IP to the private IP.
Any help appreciated,
Cynthia

Are you sure that your Internet Service Provider (ISP) doesn't block the ftp ports?
Is is fairly common these days for ISPs not to allow any kind of file server on ordinary household contracts.
Anyway, I'd suggest you rule that out before you get further into the intricacies of port forwarding.
I also hope that you only have the firewall turned off for the ftp ports -- or if not, that your router has firewall protection.

EA6400: Port forward two Netgear ReadyNAS FTP servers

I have a new EA6400 router with the latest May 2014 firmware. I also have two Netgear ReadyNAS network attached storage devices that are set up as FTP servers. With my old Netgear WNDR3700 with DD-WRT firmware (after the last thunderstorm, may she rest in peace), I could easily set up both with port forwarding and access them outside of my LAN by setting up 4321 and 4311 as ports that translate to 21 and 21 to two different addresses on my network. I have them set up the same way in the EA6400, going into Single Port Forwarding and forwarding 4321 to 21 at 192.168.1.144 and 4311 to 21 at 192.168.1.143, but the EA6400 tells me that I can't use the same port (21). Why not? They're going to different addresses. (Oh I wish I could get DD-WRT on this router!) Is there a way to set up two FTPs on a local network and make them accessible through the EA6400 to an address on the internet?
I have also attempted to disable one of the port forwards and attempted to access the remaining FTP server and have had no success. I have successfully forwarded a port on the EA6400 to my security camera system so I can monitor my home from the internet, so I know the basics of how this is done. I just can't get single port forwarding to work with my NAS FTP servers.
Any ideas?

I switched the settings around and now the other ReadyNAS is coming up, but the one that used to come up no longer does. I also tried replacing the 10001 with 2121 on both EA6400 and on that particular ReadyNAS because it seemed to be a little more common a number for an alternate FTP port.
So now I have access to the one I couldn't access before and the one I could access before I can no longer access. Of course I can switch them back around again, but I'd like both to work.
Of course one could potentially put the blame on the ReadyNAS as possibly not being able to work FTP off any other protocol than 21 but I have to place blame on the EA6400 router firmware. This worked well under DD-WRT.
Anyone have any more ideas? I appreciate the help.

ASA 5505 how to create a port forwarding rule

ASA 5505 IOS ver 9.2.3
I need to create a firewall rule that will allow internal services to be accessed externally, but using port forwarding. For example I'd like to enable access to our NAS via ftp external on port 1545 and then have the ASA forward the request to the NAS internally on port 21.
I tried these commands but they didn't work:
object network NAS
host 192.168.2.8
nat (inside,outside) static interface service tcp 21 1545
access-list NASFTP-in permit tcp any object NAS eq 1545
conf t
int vlan 2
access-group NASFTP-in permit tcp any object NAS eq 1545
I really appreciate the help everyone.

try this, it worked for me, here is an example of adding a webserver with a ip of 10.10.50.60 and naming it with a object named www-server and forwarding port 80 , the way it works is you need to do three things, u need to "nat it" "foward it" and allow it in "acl"
object network obj-10.10.50.60-1
host 10.10.50.60
nat (inside,outside) static interface service tcp 80 80
object network INSIDE
nat (inside,outside) dynamic interface
object network WWW-SERVER
nat (inside,outside) static interface service tcp 80 80
access-list Outside_access_in extended permit tcp any object WWW-SERVER eq 80
access-group Outside_access_in in interface Outside

HELP!! asa 5505 8.4(5) problem with port forwarding-smtp

Hi I am having a big problem with port forwarding on my asa. I am trying to forward smtp through the asa to my mail server.
my mail server ip is 10.0.0.2 and my outside interface is 80.80.80.80 , the ASA is setup with pppoe (I get internet access no problem and that seems fine)
When I run a trace i get "(ACL-Drop) - flow is deied by configured rule"
below is my config file , any help would be appreciated
Result of the command: "show running-config"
: Saved
ASA Version 8.4(5)
hostname ciscoasa
domain-name domain.local
enable password mXa5sNUu4rCZ.t5y encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group ISPDsl
ip address 80.80.80.80 255.255.255.255 pppoe setroute
ftp mode passive
dns server-group DefaultDNS
domain-name domain.local
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network Server_SMTP
host 10.0.0.2
access-list outside_access_in extended permit tcp any object server_SMTP eq smtp
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
object network obj_any
nat (inside,outside) dynamic interface
object network server_SMTP
nat (inside,outside) static interface service tcp smtp smtp
nat (inside,outside) after-auto source dynamic any interface
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 10.0.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
vpdn group ISP request dialout pppoe
vpdn group ISP localname [email protected]
vpdn group ISP ppp authentication chap
vpdn username [email protected] password *****
dhcpd auto_config outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:c5570d7ddffd46c528a76e515e65f366
: end

Hi Jennifer
I have removed that nat line as suggested but still no joy.
here is my current config
Result of the command: "show running-config"
: Saved
ASA Version 8.4(5)
hostname ciscoasa
domain-name domain.local
enable password mXa5sNUu4rCZ.t5y encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group ISP
ip address 80.80.80.80 255.255.255.255 pppoe setroute
ftp mode passive
dns server-group DefaultDNS
domain-name domain.local
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network Server_Mail
host 10.0.0.2
access-list outside_access_in extended permit tcp any object Server_Mail eq smtp
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
object network obj_any
nat (inside,outside) dynamic interface
object network Server_Mail
nat (inside,outside) static interface service tcp smtp smtp
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 10.0.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
vpdn group ISP request dialout pppoe
vpdn group ISP localname [email protected]
vpdn group ISP ppp authentication chap
vpdn username [email protected] password *****
dhcpd auto_config outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:f3bd954d1f9499595aab4f9da8c15795
: end
also here is the packet trace
and my acl
Thanks

How to set up port forwarding on extreme with NAS

I've purchased a NAS (Synology DS211j with 2 caviar HD) over a month ago. Setting up the NAS for wireless connection locally was easy. I've been trying for 3 weeks on how to set-up port forwarding on my airport extreme base. I''ve researched and read countless threads on port forwarding and still cannot grasp the concept and the step by step provided. I need somebody that's patient enough to hand hold and guide me through this frustrating problem.
Equipment:
Comcast cable modem connected into Airport Extreme Base
Synology DS211j connected to Airport Extreme Base
Problem:
Cannot connect to my DiskStation via internet from wherever
confused whether to use FTP or Personal file sharing or whatever is the most suitable for my needs
Just need to access files on my DiskStation view/upload/download from wherever I'm at, whether on PC or Macbook Pro
Thanks in advance!
Marcus

Here are the basic steps to configure your NAS for port mapping:
AEBSn - Port Mapping Setup
To setup port mapping on an 802.11n AirPort Extreme Base Station (AEBSn), either connect to the AEBSn's wireless network or temporarily connect directly, using an Ethernet cable, to one of the LAN port of the AEBSn, and then use the AirPort Utility, in Manual Setup, to make these settings:
1. Reserve a DHCP-provided IP address for the host device.
AirPort Utility > Select the AEBSn > Manual Setup > Internet > DHCP tab
On the DHCP tab, click the "+" (Add) button to enter DHCP Reservations.
Description: <enter the desired description of the host device>
Reserve address by: MAC Address
Click Continue.
MAC Address: <enter the MAC (what Apple calls Ethernet ID if you are using wired or AirPort ID if wireless) hardware address of the host computer>
IPv4 Address: <enter the desired IP address>
Click Done.
2. Setup Port Mapping on the AEBSn.
AirPort Utility > Select the AEBSn > Manual Setup >Advanced > Port Mapping tab
Click the "+" (Add) button
Service: <choose the appropriate service from the Service pop-up menu>
Public UDP Port(s): <enter the appropriate UDP port values>
Public TCP Port(s): <enter the appropriate TCP port values>
Private IP Address: <enter the IP address of the host server>
Private UDP Port(s): <enter the same as Public UDP Ports or your choice>
Private TCP Port(s): <enter the same as Public TCP Ports or your choice>
Click "Continue"
(ref: "Well Known" TCP and UDP ports used by Apple software products)

Please Help - Only Some Port Forwards Working

Hi all,
I have the most annoying issue with a Cisco 887VA-K9 port forwarding. Some port work while other don’t and I just can’t see why, however I suspect it is a zone based firewall (ZBF) issue.
Port forwards on the follow ports all work fine:
External port 8021 to 192.168.4.253 on port 80 works
External port 8022 to 192.168.4.253 on port 8022 works
All the rest don’t. I also have SIP phones sitting outside the LAN which are unable to register through the internet with the PBX unit which is in the DMZ network 192.168.4..0
Any help would be great appreciated as this sending me mad. Fully running config below.
Louise ;-)
Building configuration...
Current configuration : 36870 bytes
! Last configuration change at 12:49:03 Magadan Fri Nov 8 2013 by cpadmin
version 15.1
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
hostname QQQ_ADSL_Gateway
boot-start-marker
boot-end-marker
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 64000
enable secret 4 gim.lMOdQK/21R4Wu.QJfOMAv3CIkRyN.hbSTG5xAxE
aaa new-model
aaa authentication login local_authen local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec local_author local
aaa authorization network ciscocp_vpn_group_ml_1 local
aaa session-id common
memory-size iomem 10
clock timezone Magadan 11 0
crypto pki token default removal timeout 0
crypto pki trustpoint TP-self-signed-3471381936
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3471381936
revocation-check none
rsakeypair TP-self-signed-3471381936
crypto pki trustpoint test_trustpoint_config_created_for_sdm
subject-name [email protected]
revocation-check crl
crypto pki certificate chain TP-self-signed-3471381936
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33343731 33383139 3336301E 170D3132 30373132 31313332
34375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 34373133
38313933 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100AB76 5F7EE03F 306F52A0 91E82E04 7A69528D 1839409C 55BCC55A 47F180A9
7B522E9B FBB96A32 715178FE B96B737E 788947A4 CF4791AA 15609E37 A3F66F07
AD1B8A34 A2877711 E33A613D 8E50AE40 A106DE9C B2B03B95 73392ADB 4BB51FAD
6F2D6F8D A90BA0B5 BD1A209C F54126A9 2E2FF5B7 85041B7E C72032C0 CECE7F79
51550203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 141713AB B7F927E5 50C242DF 9912C3B6 61D93313 80301D06
03551D0E 04160414 1713ABB7 F927E550 C242DF99 12C3B661 D9331380 300D0609
2A864886 F70D0101 05050003 81810099 8EBE5630 2E6734A8 4D2FD0A5 F09A98F8
9E49125F AECEF4BB E0DEBB3A 1A449E38 99B02114 7EC84845 B53C2F88 046B7290
AE44967A 8BE20F5E 9D4A1CFC E1F64FE8 59F51892 23B88B4E 3416808A 68E65660
644C7DA0 E3A7A525 14FE8E54 67C35F8E CF69EB40 34DFB13D EA302F66 102C822A
3D7107BA AA4E7273 1D43690E C4A5D4
                quit
crypto pki certificate chain test_trustpoint_config_created_for_sdm
no ip source-route
ip dhcp excluded-address 192.168.0.230 192.168.0.255
ip dhcp excluded-address 192.168.0.1 192.168.0.200
ip dhcp pool QQQ_LAN
import all
network 192.168.0.0 255.255.255.0
default-router 192.168.0.254
dns-server 192.168.0.6 202.1.161.36
netbios-name-server 192.168.0.6
domain-name QQQ.Local
lease 3
ip cef
no ip bootp server
ip domain name QQQ.Local
ip name-server 192.168.0.6
ip name-server 202.1.161.37
ip name-server 202.1.161.36
ip inspect log drop-pkt
no ipv6 cef
parameter-map type inspect global
log dropped-packets enable
parameter-map type protocol-info yahoo-servers
server name scs.msg.yahoo.com
server name scsa.msg.yahoo.com
server name scsb.msg.yahoo.com
server name scsc.msg.yahoo.com
server name scsd.msg.yahoo.com
server name cs16.msg.dcn.yahoo.com
server name cs19.msg.dcn.yahoo.com
server name cs42.msg.dcn.yahoo.com
server name cs53.msg.dcn.yahoo.com
server name cs54.msg.dcn.yahoo.com
server name ads1.vip.scd.yahoo.com
server name radio1.launch.vip.dal.yahoo.com
server name in1.msg.vip.re2.yahoo.com
server name data1.my.vip.sc5.yahoo.com
server name address1.pim.vip.mud.yahoo.com
server name edit.messenger.yahoo.com
server name messenger.yahoo.com
server name http.pager.yahoo.com
server name privacy.yahoo.com
server name csa.yahoo.com
server name csb.yahoo.com
server name csc.yahoo.com
parameter-map type protocol-info aol-servers
server name login.oscar.aol.com
server name toc.oscar.aol.com
server name oam-d09a.blue.aol.com
parameter-map type protocol-info msn-servers
server name messenger.hotmail.com
server name gateway.messenger.hotmail.com
server name webmessenger.msn.com
password encryption aes
license udi pid CISCO887VA-K9 sn FGL162321CT
object-group service MAIL-PORTS
description QQQ User Mail Restrictions
tcp eq smtp
tcp eq pop3
tcp eq 995
tcp eq 993
udp lt rip
udp lt domain
tcp eq telnet
udp lt ntp
udp lt tftp
tcp eq ftp
tcp eq domain
tcp eq 5900
tcp eq ftp-data
tcp eq 3389
tcp eq 20410
object-group network Network1
description QQQ Management Network
192.168.1.0 255.255.255.0
192.168.4.0 255.255.255.0
192.168.5.0 255.255.255.0
192.168.7.0 255.255.255.0
192.168.8.0 255.255.255.0
range 192.168.0.200 192.168.0.254
range 192.168.0.1 192.168.0.25
object-group network Network2
description QQQ User Network
192.168.2.0 255.255.255.0
192.168.3.0 255.255.255.0
192.168.6.0 255.255.255.0
range 192.168.0.26 192.168.0.199
object-group network QQQ.Local
description QQQ_Domain
192.168.0.0 255.255.255.0
192.168.1.0 255.255.255.0
192.168.2.0 255.255.255.0
192.168.3.0 255.255.255.0
192.168.4.0 255.255.255.0
192.168.5.0 255.255.255.0
192.168.6.0 255.255.255.0
192.168.8.0 255.255.255.0
192.168.7.0 255.255.255.0
192.168.10.0 255.255.255.0
10.1.0.0 255.255.0.0
object-group network QQQ_Management_Group
description QQQ I.T. Devices With UnRestricted Access
range 192.168.0.200 192.168.0.254
range 192.168.0.1 192.168.0.25
192.168.1.0 255.255.255.0
192.168.8.0 255.255.255.0
192.168.7.0 255.255.255.0
192.168.5.0 255.255.255.0
192.168.4.0 255.255.255.0
10.1.0.0 255.255.0.0
192.168.10.0 255.255.255.0
10.8.0.0 255.255.255.0
192.168.9.0 255.255.255.0
192.168.100.0 255.255.255.0
192.168.20.0 255.255.255.0
192.168.21.0 255.255.255.0
192.168.22.0 255.255.255.0
192.168.23.0 255.255.255.0
object-group network QQQ_User_Group
description QQQ I.T. Devices WIth Restricted Access
range 192.168.0.26 192.168.0.199
192.168.2.0 255.255.255.0
192.168.3.0 255.255.255.0
192.168.6.0 255.255.255.0
object-group service WEB
description QQQ User Web Restrictions
tcp eq www
tcp eq 443
tcp eq 8080
tcp eq 1863
tcp eq 5190
username cpadmin privilege 15 password 7 1406031A2C172527
username QQQVPN privilege 15 secret 4 Hk2tP2GgJ1xXtJUqIZr4gmNSgw6q1E.rvzWiYnDAZHU
controller VDSL 0
ip tcp synwait-time 10
no ip ftp passive
class-map type inspect match-all sdm-cls-VPNOutsideToInside-1
match access-group 118
class-map type inspect match-all sdm-cls-VPNOutsideToInside-3
match access-group 121
class-map type inspect match-all sdm-cls-VPNOutsideToInside-2
match access-group 120
class-map type inspect imap match-any ccp-app-imap
match invalid-command
class-map type inspect match-any ccp-cls-protocol-p2p
match protocol edonkey signature
match protocol gnutella signature
match protocol kazaa2 signature
match protocol fasttrack signature
match protocol bittorrent signature
class-map type inspect match-all sdm-cls-VPNOutsideToInside-4
match access-group 122
class-map type inspect match-all SDM_GRE
match access-group name SDM_GRE
class-map type inspect match-any CCP_PPTP
match class-map SDM_GRE
class-map type inspect match-any SDM_AH
match access-group name SDM_AH
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-any SDM_ESP
match access-group name SDM_ESP
class-map type inspect match-any SDM_VPN_TRAFFIC
match protocol isakmp
match protocol ipsec-msft
match class-map SDM_AH
match class-map SDM_ESP
class-map type inspect match-all SDM_VPN_PT
match access-group 117
match class-map SDM_VPN_TRAFFIC
class-map type inspect match-any ccp-cls-insp-traffic
match protocol pptp
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-any SDM_IP
match access-group name SDM_IP
class-map type inspect gnutella match-any ccp-app-gnutella
match file-transfer
class-map type inspect match-any SDM_HTTP
match access-group name SDM_HTTP
class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC
match protocol isakmp
match protocol ipsec-msft
match class-map SDM_AH
match class-map SDM_ESP
class-map type inspect match-all SDM_EASY_VPN_SERVER_PT
match class-map SDM_EASY_VPN_SERVER_TRAFFIC
class-map type inspect match-all sdm-cls-http
match access-group name dmz-traffic
match protocol http
class-map type inspect match-any Telnet
match protocol telnet
class-map type inspect msnmsgr match-any ccp-app-msn-otherservices
match service any
class-map type inspect ymsgr match-any ccp-app-yahoo-otherservices
match service any
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-cls-protocol-im
match protocol ymsgr yahoo-servers
match protocol msnmsgr msn-servers
match protocol aol aol-servers
class-map type inspect aol match-any ccp-app-aol-otherservices
match service any
class-map type inspect match-all ccp-protocol-pop3
match protocol pop3
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-any FIREWALL_EXCEPTIONS_CLASS
match access-group name FIREWALL_EXCEPTIONS_ACL
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect match-any SDM_EASY_VPN_CTCP_SERVER_PT
match access-group 102
match access-group 103
match access-group 104
match access-group 105
match access-group 106
match access-group 107
match access-group 108
match access-group 109
match access-group 110
match access-group 111
match access-group 112
match access-group 113
match access-group 114
match access-group 115
class-map type inspect match-any SIP
match protocol sip
class-map type inspect pop3 match-any ccp-app-pop3
class-map type inspect match-any SDM_HTTPS
match access-group name SDM_HTTPS
class-map type inspect sip match-any ccp-cls-sip-pv-2
match protocol-violation
class-map type inspect kazaa2 match-any ccp-app-kazaa2
match file-transfer
class-map type inspect match-all ccp-protocol-p2p
match class-map ccp-cls-protocol-p2p
class-map type inspect match-all ccp-cls-ccp-permit-1
match access-group name ETS1
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect msnmsgr match-any ccp-app-msn
match service text-chat
class-map type inspect ymsgr match-any ccp-app-yahoo
match service text-chat
class-map type inspect match-all ccp-cls-ccp-pol-outToIn-1
match access-group name ETS
class-map type inspect match-all ccp-protocol-im
match class-map ccp-cls-protocol-im
class-map type inspect match-all ccp-cls-ccp-pol-outToIn-2
match class-map Telnet
match access-group name Telnet
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect http match-any ccp-app-httpmethods
match request method bcopy
match request method bdelete
match request method bmove
match request method bpropfind
match request method bproppatch
match request method connect
match request method copy
match request method delete
match request method edit
match request method getattribute
match request method getattributenames
match request method getproperties
match request method index
match request method lock
match request method mkcol
match request method mkdir
match request method move
match request method notify
match request method options
match request method poll
match request method propfind
match request method proppatch
match request method put
match request method revadd
match request method revlabel
match request method revlog
match request method revnum
match request method save
match request method search
match request method setattribute
match request method startrev
match request method stoprev
match request method subscribe
match request method trace
match request method unedit
match request method unlock
match request method unsubscribe
class-map type inspect match-any ccp-dmz-protocols
match user-group qqq
match protocol icmp
match protocol http
class-map type inspect edonkey match-any ccp-app-edonkey
match file-transfer
match text-chat
match search-file-name
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect match-all sdm-cls-sip
match access-group name dmz-traffic
match protocol sip
class-map type inspect match-all ccp-dmz-traffic
match access-group name dmz-traffic
match class-map ccp-dmz-protocols
class-map type inspect http match-any ccp-http-blockparam
match request port-misuse im
match request port-misuse p2p
class-map type inspect edonkey match-any ccp-app-edonkeydownload
match file-transfer
class-map type inspect match-all ccp-protocol-imap
match protocol imap
class-map type inspect aol match-any ccp-app-aol
match service text-chat
class-map type inspect edonkey match-any ccp-app-edonkeychat
match search-file-name
match text-chat
class-map type inspect match-all ccp-cls-ccp-permit-dmzservice-1
match class-map SIP
match access-group name SIP
class-map type inspect fasttrack match-any ccp-app-fasttrack
match file-transfer
class-map type inspect http match-any ccp-http-allowparam
match request port-misuse tunneling
class-map type inspect match-all ccp-protocol-http
match protocol http
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect p2p ccp-action-app-p2p
class type inspect edonkey ccp-app-edonkeychat
log
allow
class type inspect edonkey ccp-app-edonkeydownload
log
allow
class type inspect fasttrack ccp-app-fasttrack
log
allow
class type inspect gnutella ccp-app-gnutella
log
allow
class type inspect kazaa2 ccp-app-kazaa2
log
allow
policy-map type inspect PF_OUT_TO_IN
class type inspect FIREWALL_EXCEPTIONS_CLASS
pass
policy-map type inspect PF_IN_TO_OUT
class type inspect FIREWALL_EXCEPTIONS_CLASS
pass
policy-map type inspect im ccp-action-app-im
class type inspect aol ccp-app-aol
log
allow
class type inspect msnmsgr ccp-app-msn
log
allow
class type inspect ymsgr ccp-app-yahoo
log
allow
class type inspect aol ccp-app-aol-otherservices
log
reset
class type inspect msnmsgr ccp-app-msn-otherservices
log
reset
class type inspect ymsgr ccp-app-yahoo-otherservices
log
reset
policy-map type inspect http ccp-action-app-http
class type inspect http ccp-http-blockparam
log
reset
class type inspect http ccp-app-httpmethods
log
reset
class type inspect http ccp-http-allowparam
log
allow
policy-map type inspect imap ccp-action-imap
class type inspect imap ccp-app-imap
log
policy-map type inspect pop3 ccp-action-pop3
class type inspect pop3 ccp-app-pop3
log
policy-map type inspect ccp-inspect
class type inspect ccp-protocol-http
inspect
service-policy http ccp-action-app-http
class type inspect ccp-protocol-imap
inspect
service-policy imap ccp-action-imap
class type inspect ccp-protocol-pop3
inspect
service-policy pop3 ccp-action-pop3
class type inspect ccp-protocol-p2p
inspect
service-policy p2p ccp-action-app-p2p
class type inspect ccp-protocol-im
inspect
service-policy im ccp-action-app-im
class type inspect ccp-insp-traffic
inspect
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
class type inspect ccp-invalid-src
drop log
class class-default
drop
policy-map type inspect ccp-permit
class type inspect SDM_VPN_PT
pass
class type inspect ccp-cls-ccp-permit-1
pass
class type inspect SDM_EASY_VPN_SERVER_PT
pass
class type inspect SDM_EASY_VPN_CTCP_SERVER_PT
inspect
class class-default
drop
policy-map type inspect sip ccp-app-sip-2
class type inspect sip ccp-cls-sip-pv-2
allow
policy-map type inspect ccp-permit-dmzservice
class type inspect ccp-cls-ccp-permit-dmzservice-1
pass
class type inspect ccp-dmz-traffic
inspect
class type inspect sdm-cls-http
inspect
service-policy http ccp-action-app-http
class type inspect sdm-cls-VPNOutsideToInside-1
inspect
class type inspect sdm-cls-VPNOutsideToInside-2
inspect
class type inspect sdm-cls-VPNOutsideToInside-3
pass
class class-default
pass
policy-map type inspect ccp-pol-outToIn
class type inspect ccp-cls-ccp-pol-outToIn-1
pass
class type inspect ccp-cls-ccp-pol-outToIn-2
pass
class type inspect CCP_PPTP
pass
class type inspect sdm-cls-VPNOutsideToInside-1
inspect
class type inspect sdm-cls-VPNOutsideToInside-2
inspect
class type inspect sdm-cls-VPNOutsideToInside-3
pass
class type inspect sdm-cls-VPNOutsideToInside-4
inspect
class class-default
drop log
policy-map type inspect sdm-permit-ip
class type inspect SDM_IP
pass
class type inspect sdm-cls-VPNOutsideToInside-2
inspect
class type inspect sdm-cls-VPNOutsideToInside-3
pass
class type inspect sdm-cls-VPNOutsideToInside-4
inspect
class class-default
drop log
zone security dmz-zone
zone security in-zone
zone security out-zone
zone security ezvpn-zone
zone-pair security ccp-zp-out-dmz source out-zone destination dmz-zone
service-policy type inspect ccp-permit-dmzservice
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-zone-To-in-zone source out-zone destination in-zone
service-policy type inspect ccp-pol-outToIn
zone-pair security ccp-zp-in-dmz source in-zone destination dmz-zone
service-policy type inspect ccp-permit-dmzservice
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security dmz-to-in source dmz-zone destination in-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security sdm-zp-ezvpn-out1 source ezvpn-zone destination out-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-in-ezvpn2 source in-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-in-ezvpn1 source dmz-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-in2 source ezvpn-zone destination in-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination dmz-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-out-ezpn1 source out-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-in3 source ezvpn-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip
crypto ctcp port 10000 1723 6299
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp policy 2
encr aes 256
authentication pre-share
group 2
crypto isakmp key 6 PbKM_WfaCM[hYNXAFOUgCNgCB_ZdJEAAB address 220.245.109.219
crypto isakmp key 6 NddQRR[O^KY`GRDC[VZUEPE`CSJ^CDAAB address 0.0.0.0 0.0.0.0
crypto isakmp client configuration group QQQ
key 6 UWVBhb`Lgc_AZbDYWDFZiGZTTadNYTAAB
dns 192.168.0.6 202.1.161.36
wins 192.168.0.6
domain QQQ.Local
pool SDM_POOL_1
include-local-lan
max-users 20
max-logins 1
netmask 255.255.255.0
banner ^CCWelcome to QQQ VPN!!!!1                 ^C
crypto isakmp profile ciscocp-ike-profile-1
   match identity group QQQ
   client authentication list ciscocp_vpn_xauth_ml_1
   isakmp authorization list ciscocp_vpn_group_ml_1
   client configuration address initiate
   client configuration address respond
   keepalive 10 retry 2
   virtual-template 1
crypto ipsec transform-set ESP_AES_SHA esp-aes 256 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec profile CiscoCP_Profile1
set security-association idle-time 43200
set transform-set ESP_AES_SHA
set isakmp-profile ciscocp-ike-profile-1
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to220.245.109.219
set peer 220.245.109.219
set transform-set ESP-3DES-SHA
match address 119
interface Loopback0
description QQQ_VPN
ip address 192.168.9.254 255.255.255.0
interface Null0
no ip unreachables
interface Ethernet0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
shutdown
no fair-queue
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
no atm ilmi-keepalive
interface ATM0.1 point-to-point
description Telekom_ADSL
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
zone-member security out-zone
pvc 8/35
pppoe-client dial-pool-number 1
interface FastEthernet0
description QQQ_LAN-VLAN_1
switchport access vlan 1
no ip address
interface FastEthernet1
description QQQ_LAN-VLAN_1
no ip address
interface FastEthernet2
description QQQ_WAN-VLAN_2
switchport access vlan 2
no ip address
interface FastEthernet3
description QQQ_DMZ-IP_PBX-VLAN_3
switchport access vlan 3
no ip address
interface Virtual-Template1 type tunnel
description QQQ_Easy_VPN
ip unnumbered Loopback0
ip nat inside
ip virtual-reassembly in
zone-member security ezvpn-zone
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
interface Vlan1
description QQQ_LAN-VLAN1$FW_INSIDE$
ip address 192.168.0.254 255.255.255.0
ip access-group QQQ_ACL in
ip mask-reply
ip nat inside
ip virtual-reassembly in
zone-member security in-zone
ip tcp adjust-mss 1412
interface Vlan2
description QQQ_WAN-VLAN2$FW_INSIDE$
ip address 192.168.5.254 255.255.255.0
ip access-group QQQ_ACL in
ip mask-reply
ip nat inside
ip virtual-reassembly in
zone-member security in-zone
ip tcp adjust-mss 1412
interface Vlan3
description QQQ_IP-PBX_WAN-VLAN3
ip address 192.168.4.254 255.255.255.0
ip mask-reply
ip nat inside
ip virtual-reassembly in
zone-member security dmz-zone
interface Vlan4
description VLAN4 - 192.168.20.xxx (Spare)
ip address 192.168.20.253 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security in-zone
interface Dialer0
description ATM Dialer
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly in
zone-member security out-zone
no cdp enable
interface Dialer2
description $FW_OUTSIDE$
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1452
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly in
zone-member security out-zone
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname xxxxxxxxxxxxxxxxxxx
ppp chap password 7 xxxxxxxxxxxxxxxxxxxxxxxxx
ppp pap sent-username xxxxxxxxxx0 password 7 xxxxxxxxxxxxxxxxxxxxx
no cdp enable
crypto map SDM_CMAP_1
router rip
version 2
redistribute static
passive-interface ATM0
passive-interface ATM0.1
passive-interface Dialer0
passive-interface Dialer2
passive-interface Ethernet0
passive-interface Loopback0
network 10.0.0.0
network 192.168.0.0
network 192.168.1.0
network 192.168.2.0
network 192.168.3.0
network 192.168.4.0
network 192.168.5.0
network 192.168.6.0
network 192.168.7.0
network 192.168.8.0
network 192.168.10.0
network 192.168.100.0
ip local pool SDM_POOL_1 192.168.5.100 192.168.5.200
ip forward-protocol nd
ip http server
ip http access-class 5
ip http authentication local
ip http secure-server
ip nat pool NAT_IP 192.168.0.210 192.168.0.235 netmask 255.255.255.0
ip nat inside source static tcp 192.168.4.253 5060 interface Dialer2 5060
ip nat inside source static tcp 192.168.0.240 20408 interface Dialer2 6208
ip nat inside source static tcp 192.168.0.240 20409 interface Dialer2 6209
ip nat inside source static tcp 192.168.0.240 20410 interface Dialer2 6200
ip nat inside source static tcp 192.168.1.240 20408 interface Dialer2 6218
ip nat inside source static tcp 192.168.1.240 20409 interface Dialer2 6219
ip nat inside source static tcp 192.168.1.240 20410 interface Dialer2 6210
ip nat inside source static tcp 192.168.7.240 20408 interface Dialer2 6278
ip nat inside source static tcp 192.168.7.240 20409 interface Dialer2 6279
ip nat inside source static tcp 192.168.7.240 20410 interface Dialer2 6270
ip nat inside source static tcp 192.168.8.240 20408 interface Dialer2 6288
ip nat inside source static tcp 192.168.8.240 20409 interface Dialer2 6289
ip nat inside source static tcp 192.168.8.240 20410 interface Dialer2 6280
ip nat inside source static tcp 192.168.0.6 1723 interface Dialer2 1723
ip nat inside source static tcp 192.168.0.6 3389 interface Dialer2 6389
ip nat inside source static tcp 192.168.0.24 3389 interface Dialer2 6390
ip nat inside source static tcp 192.168.4.253 8022 interface Dialer2 8022
ip nat inside source static tcp 192.168.4.253 80 interface Dialer2 8021
ip nat inside source static tcp 192.168.0.254 23 interface Dialer2 8023
ip nat inside source static tcp 192.168.0.6 443 interface Dialer2 443
ip nat inside source route-map SDM_RMAP_1 interface Dialer2 overload
ip default-network 192.168.0.0
ip default-network 192.168.4.0
ip route 0.0.0.0 0.0.0.0 Dialer2 permanent
ip route 10.1.0.0 255.255.0.0 Vlan2 permanent
ip route 10.8.0.0 255.255.255.0 Vlan2 permanent
ip route 192.168.0.0 255.255.255.0 Vlan1 permanent
ip route 192.168.4.0 255.255.255.0 Vlan3 permanent
ip route 192.168.5.0 255.255.255.0 Vlan2 permanent
ip route 192.168.100.0 255.255.255.0 Dialer2 permanent
ip access-list extended ACCESS_FROM_INSIDE
permit ip object-group QQQ_Management_Group any
permit tcp object-group QQQ_User_Group any eq smtp pop3
permit tcp object-group QQQ_User_Group any eq 993 995
permit tcp 192.168.0.0 0.0.0.255 any eq smtp pop3
permit tcp 192.168.0.0 0.0.0.255 any eq 993 995
permit ip 192.168.1.0 0.0.0.255 any
permit ip 192.168.4.0 0.0.0.255 any
permit ip 192.168.5.0 0.0.0.255 any
permit ip 192.168.7.0 0.0.0.255 any
permit ip 192.168.8.0 0.0.0.255 any
permit tcp 192.168.2.0 0.0.0.255 any eq www 443 8080 domain
permit tcp 192.168.2.0 0.0.0.255 any eq www 443 8080 domain time-range QQQ_Control
permit tcp 192.168.3.0 0.0.0.255 any eq www 443 8080 domain time-range QQQ_Control
permit tcp 192.168.4.0 0.0.0.255 any eq www 443 8080 domain time-range QQQ_Control
permit udp 192.168.2.0 0.0.0.255 any eq domain time-range QQQ_Control
permit udp 192.168.3.0 0.0.0.255 any eq domain time-range QQQ_Control
permit udp 192.168.4.0 0.0.0.255 any eq domain time-range QQQ_Control
ip access-list extended ETS
remark CCP_ACL Category=128
permit ip host 203.219.237.252 any
ip access-list extended ETS1
remark CCP_ACL Category=128
permit ip host 203.219.237.252 any
ip access-list extended FIREWALL_EXCEPTIONS_ACL
permit tcp any host 192.168.0.100 eq 25565
permit tcp any eq 25565 host 192.168.0.100
ip access-list extended QQQ_ACL
permit ip any host 192.168.4.253
permit udp any any eq bootps bootpc
permit ip any 192.168.4.0 0.0.0.255
permit ip host 203.219.237.252 any
remark QQQ Internet Control List
remark CCP_ACL Category=17
remark Auto generated by CCP for NTP (123) 203.12.160.2
permit udp host 203.12.160.2 eq ntp any eq ntp
remark AD Services
permit udp host 192.168.0.6 eq domain any
remark Unrestricted Access
permit ip object-group QQQ_Management_Group any
remark Restricted Users
permit object-group MAIL-PORTS object-group QQQ_User_Group any
permit ip 192.168.0.0 0.0.0.255 any time-range QQQ_Control
permit ip 192.168.2.0 0.0.0.255 any time-range QQQ_Control
permit ip 192.168.3.0 0.0.0.255 any time-range QQQ_Control
permit ip 192.168.6.0 0.0.0.255 any time-range QQQ_Control
remark ICMP Full Access
permit icmp object-group QQQ_User_Group any
permit tcp 192.168.2.0 0.0.0.255 eq www 443 8080 5190 1863 any time-range QQQ_Control
permit tcp 192.168.3.0 0.0.0.255 eq www 443 8080 5190 1863 any time-range QQQ_Control
permit tcp 192.168.6.0 0.0.0.255 eq www 443 8080 5190 1863 any time-range QQQ_Control
permit udp 192.168.6.0 0.0.0.255 eq 80 443 8080 5190 1863 any time-range QQQ_Control
permit tcp 192.168.0.0 0.0.0.255 eq www 443 8080 5190 1863 any time-range QQQ_Control
permit udp 192.168.0.0 0.0.0.255 eq 80 443 8080 5190 1863 any time-range QQQ_Control
permit udp 192.168.2.0 0.0.0.255 eq 80 443 8080 5190 1863 any time-range QQQ_Control
permit udp 192.168.3.0 0.0.0.255 eq 80 443 8080 5190 1863 any time-range QQQ_Control
ip access-list extended QQQ_NAT
remark CCP_ACL Category=18
remark IPSec Rule
deny   ip 192.168.0.0 0.0.255.255 192.168.100.0 0.0.0.255
permit ip any any
ip access-list extended SDM_AH
remark CCP_ACL Category=1
permit ahp any any
ip access-list extended SDM_ESP
remark CCP_ACL Category=1
permit esp any any
ip access-list extended SDM_GRE
remark CCP_ACL Category=1
permit gre any any
ip access-list extended SDM_HTTP
remark CCP_ACL Category=0
permit tcp any any eq telnet
ip access-list extended SDM_HTTPS
remark CCP_ACL Category=0
permit tcp any any eq 443
ip access-list extended SDM_IP
remark CCP_ACL Category=1
permit ip any any
ip access-list extended SIP
remark CCP_ACL Category=128
permit ip any 192.168.4.0 0.0.0.255
ip access-list extended Telnet
remark CCP_ACL Category=128
permit ip any any
ip access-list extended dmz-traffic
remark CCP_ACL Category=1
permit ip any 192.168.4.0 0.0.0.255
access-list 1 remark CCP_ACL Category=2
access-list 1 remark QQQ_DMZ
access-list 1 permit 192.168.4.0 0.0.0.255
access-list 2 remark CCP_ACL Category=2
access-list 2 remark QQQ_LAN
access-list 2 permit 192.168.0.0 0.0.0.255
access-list 3 remark QQQ Insid NAT
access-list 3 remark CCP_ACL Category=2
access-list 3 permit 192.168.0.0 0.0.0.255
access-list 3 permit 192.168.1.0 0.0.0.255
access-list 3 permit 192.168.2.0 0.0.0.255
access-list 3 permit 192.168.3.0 0.0.0.255
access-list 3 permit 192.168.4.0 0.0.0.255
access-list 3 permit 192.168.5.0 0.0.0.255
access-list 3 permit 192.168.6.0 0.0.0.255
access-list 3 permit 192.168.7.0 0.0.0.255
access-list 3 permit 192.168.8.0 0.0.0.255
access-list 3 permit 192.168.9.0 0.0.0.255
access-list 3 permit 192.168.10.0 0.0.0.255
access-list 4 remark QQQ_NAT
access-list 4 remark CCP_ACL Category=2
access-list 4 permit 10.1.0.0 0.0.255.255
access-list 4 permit 10.8.0.0 0.0.0.255
access-list 4 permit 192.168.0.0 0.0.0.255
access-list 4 permit 192.168.1.0 0.0.0.255
access-list 4 permit 192.168.2.0 0.0.0.255
access-list 4 permit 192.168.3.0 0.0.0.255
access-list 4 permit 192.168.4.0 0.0.0.255
access-list 4 permit 192.168.5.0 0.0.0.255
access-list 4 permit 192.168.6.0 0.0.0.255
access-list 4 permit 192.168.7.0 0.0.0.255
access-list 4 permit 192.168.8.0 0.0.0.255
access-list 4 permit 192.168.9.0 0.0.0.255
access-list 4 permit 192.168.10.0 0.0.0.255
access-list 5 remark HTTP Access-class list
access-list 5 remark CCP_ACL Category=1
access-list 5 permit 192.168.4.0 0.0.0.255
access-list 5 permit 192.168.0.0 0.0.0.255
access-list 5 deny   any
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip 192.168.4.0 0.0.0.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip host 255.255.255.255 any
access-list 101 remark QQQ_Extended_ACL
access-list 101 remark CCP_ACL Category=1
access-list 101 permit tcp any host 192.168.0.254 eq 10000
access-list 101 permit udp any host 192.168.0.254 eq non500-isakmp
access-list 101 permit udp any host 192.168.0.254 eq isakmp
access-list 101 permit esp any host 192.168.0.254
access-list 101 permit ahp any host 192.168.0.254
access-list 101 remark Auto generated by CCP for NTP (123) 203.12.160.2
access-list 101 permit udp host 203.12.160.2 eq ntp host 192.168.4.254 eq ntp
access-list 101 permit udp host 192.168.0.6 eq domain any
access-list 101 remark NTP (123) 203.12.160.2
access-list 101 permit udp host 203.12.160.2 eq ntp any eq ntp
access-list 101 remark QQQ_ANY_Any
access-list 101 permit ip object-group QQQ.Local any
access-list 101 remark QQQ_DMZ
access-list 101 permit ip any 192.168.4.0 0.0.0.255
access-list 101 remark QQQ_GRE
access-list 101 permit gre any any
access-list 101 remark QQQ_Ping
access-list 101 permit icmp any any
access-list 102 remark CCP_ACL Category=1
access-list 102 permit tcp any any eq 10000
access-list 103 permit tcp any 192.168.0.0 0.0.0.255 eq 443
access-list 103 remark CCP_ACL Category=1
access-list 103 permit tcp any any eq 10000
access-list 103 permit tcp any 192.168.4.0 0.0.0.255 eq 8022
access-list 103 permit tcp any 192.168.4.0 0.0.0.255 eq telnet
access-list 103 permit tcp any 192.168.4.0 0.0.0.255 eq www
access-list 103 permit tcp any 192.168.4.0 0.0.0.255 eq 5060
access-list 103 permit tcp any eq telnet host 192.168.0.254
access-list 103 permit tcp any 192.168.0.0 0.0.0.255 eq telnet
access-list 103 permit udp any 192.168.4.0 0.0.0.255 eq 5060
access-list 103 permit udp any 192.168.4.0 0.0.0.255 range 10001 12000
access-list 104 remark CCP_ACL Category=1
access-list 104 permit tcp any any eq 10000
access-list 105 remark CCP_ACL Category=1
access-list 105 permit tcp any any eq 10000
access-list 106 remark CCP_ACL Category=1
access-list 106 permit tcp any any eq 10000
access-list 107 remark CCP_ACL Category=1
access-list 107 permit tcp any any eq 10000
access-list 108 remark CCP_ACL Category=1
access-list 108 permit tcp any any eq 10000
access-list 109 remark CCP_ACL Category=1
access-list 109 permit tcp any any eq 10000
access-list 110 remark CCP_ACL Category=1
access-list 110 permit tcp any any eq 10000
access-list 111 remark CCP_ACL Category=1
access-list 111 permit tcp any any eq 10000
access-list 112 remark CCP_ACL Category=1
access-list 112 permit tcp any any eq 10000
access-list 113 remark CCP_ACL Category=1
access-list 113 permit tcp any any eq 10000
access-list 114 remark CCP_ACL Category=1
access-list 114 permit tcp any any eq 10000
access-list 115 remark CCP_ACL Category=1
access-list 115 permit tcp any any eq 10000
access-list 116 remark CCP_ACL Category=4
access-list 116 remark IPSec Rule
access-list 116 permit ip 192.168.0.0 0.0.255.255 192.168.100.0 0.0.0.255
access-list 117 remark CCP_ACL Category=128
access-list 117 permit ip any any
access-list 117 permit ip host 220.245.109.219 any
access-list 118 remark CCP_ACL Category=0
access-list 118 permit ip 192.168.100.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 119 remark CCP_ACL Category=4
access-list 119 remark IPSec Rule
access-list 119 permit ip 192.168.0.0 0.0.255.255 192.168.100.0 0.0.0.255
access-list 120 remark CCP_ACL Category=0
access-list 120 permit ip 192.168.100.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 121 remark CCP_ACL Category=0
access-list 121 permit ip 192.168.100.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 122 remark CCP_ACL Category=0
access-list 122 permit ip 192.168.100.0 0.0.0.255 192.168.0.0 0.0.255.255
dialer-list 1 protocol ip permit
route-map SDM_RMAP_1 permit 1
match ip address QQQ_NAT
banner login ^CCWelcome to QQQ ADSL Gateway

It turns out the problem had nothing to do with wires or splitters. The Verizon tech was at my house yesterday and the ONT was failing. He replaced part of the ONT and it fixed the problem (finally!). At least I was able to watch the Celtics game last night.
I have a Tellabs ONT. Not sure the model but it's older like the ones in this thread.
http://www.dslreports.com/forum/r19982000-Mounting-board-for-612-ONT

Time Capsule disconnects internet when using web server through port forwarding

My current config is: 2TB Time Capsule running 7.6.3, Mac Pro running Lion (10.7.5), MacBook Pro running Mountain Lion (10.8.3), and a couple of MacBook Pro Retinas running Mountain Lion. My current ISP is Comcast.
I have the Time Capsule set up to port forward port 80 to the Mac Pro for the purpose of running a web server. Most of the traffic is shuttling fairly large m4v files back and forth to work (work product from video editing work). I can reach the webserver on the Mac Pro just fine from the outside world, and can list files in the directory just fine. When I initiate a download (via right click on a link, "Save As..." or whatever), the Time Capsule reports that the Internet has been disconnected, and all machines inside my network lose access to the outside world. I have to either power cycle the Time Capsule, or disconnect/reconnect the Cat-6 cable between the cable modem and the Time Capsule to re-establish the connection. Interestingly, the download continues and completes on the other end without issue (so, the connection is actually still there!).
Before switching to Comcast, I was on AT&T Uverse - Uverse includes a router, so I had the TIme Capsule set up in Bridge Mode. That worked fine. I also have an older 500GB 1st generation Time Capsule. I set it up with the same config as my 2TB TC, and it shows the exact same behavior - internet disconnects upon initiating a file download through a forwarded port. I then hooked the Mac Pro up directly to the cable modem. I can initiate a download without issue, and I continue to stay connected to the Internet without problem. Called Comcast anyway - they report no errors on the line, but reset the whole device chain anyway. No change in behaviors.
I tried downgrading the Time Capsule software to 7.6.2 (the earliest version that came on it). No dice, same behavior.
So... I called Apple. Complete and utter FAIL. Apple Support reports that they have no training in the port forwarding features of the Time Capule or Airport products, and cannot help me resolve the issue because of that. So, I have a $300 router that apparently cannot perform a simple routing function (download through a forwarded port), that I cannot troubleshoot (because Airport software v7 is an epic fail in that regard), made by a company who cannot support it - and everything this $300 device is doing can be done by a $50 device with a $100 external hard drive?
Do I understand this situation correctly? What have I missed in trying to troubleshoot this thing?

Apple Support reports that they have no training in the port forwarding features of the Time Capule or Airport products, and cannot help me resolve the issue because of that. So, I have a $300 router that apparently cannot perform a simple routing function (download through a forwarded port), that I cannot troubleshoot (because Airport software v7 is an epic fail in that regard), made by a company who cannot support it - and everything this $300 device is doing can be done by a $50 device with a $100 external hard drive?
Do I understand this situation correctly? What have I missed in trying to troubleshoot this thing?
Excellent summary.. I think you have covered all the salient points most thoroughly.
Port forwarding on the TC I would put into the category of "epic fail"
I have a nasty feeling it just doesn't work in many cases. Clearly from your situation the port is forwarded correctly.. it is the actual download that is causing the device to crash.. which is probably not the port forwarding itself that is at fault but rather the external link and opening another port for the download to happen.
Many of the issues were caused by using icloud and btmm.. which would work a lot better btw. Although the hassle there is needing to offer that as a service to any Tom Dick or Harry.
Let me suggest a work around or other things to try.
I also have an older 500GB 1st generation Time Capsule. I set it up with the same config as my 2TB TC, and it shows the exact same behavior - internet disconnects upon initiating a file download through a forwarded port.
Use 5.6 utility.. more info below. And take the firmware of this unit (Gen1) back to 7.5.2 (before icloud mess ups in 7.6).
You can go back to 7.5 firmware also in Gen4 TC if it is more than about 14months old.. Simply hold down the option key when you select firmware and the old versions will show up. If your TC came with 7.6.1 (the 7.6.2 was withdrawn as it was even bigger failure than 7.6.3). then you cannot go back.
You might also find downloading via http is not as reliable as using FTP.. FTP is a better and more efficient protocol. It should be no problem to setup ftp server on the mac pro to allow download via ftp even with a browser.
But in the end.. your $50 router suggestion.. well perhaps a little more than that.. $80-100 will work very well.. also this router can be setup with a Hard Disk and offer the files to the internet via FTP.. without needing full network access to your internal network.
How to load 5.6 into ML.
1. Download 5.6 for Lion.
http://support.apple.com/kb/DL1482
Click to open the dmg but do not attempt to install the pkg.. it won't work anyway.
2. Download and install unpkg.
http://www.timdoug.com/unpkg/
Run unpkg on the desktop.. it is very simple.. drag the AirPortUtility56.pkg file over to unpkg.. and it will create a new directory of the same name on the desktop.. drill down.. applications utilities .. there lo and behold is Airport utility 5.6 .. drag it to your main utilities directory or just run it from current location.
You cannot uninstall 6.1 (now 6.2 if you updated) so don't try.. and you cannot or should not run them both at the same time.. so just ignore the toyland version.. the plastic hammer.. and start using 5.6.. a real tool.
For screen shots see this post.
https://discussions.apple.com/thread/4668746?tstart=0

How to IPsec site to site vpn port forwarding to remote site?

Hi All,
The scenario where a Site to Site VPN tunnel has been established between Site A and Site B. Lan on Site A can ping Lan on Site B. My problem is a Printer behind Site B needs to be accessed by using the WAN IP address of Site A. Also i could not ping the remote lan or printer from the router.
Below are my configure on the Cisco 877 in site A. Would you please advise the solution for that?
Building configuration...
Current configuration : 5425 bytes
! Last configuration change at 15:09:21 PCTime Fri Jun 15 2012 by admin01
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname Laverton
boot-start-marker
boot-end-marker
logging message-counter syslog
no logging buffered
aaa new-model
aaa authentication login default local
aaa authorization exec default local
aaa session-id common
clock timezone PCTime 10
crypto pki trustpoint TP-self-signed-1119949081
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1119949081
revocation-check none
rsakeypair TP-self-signed-1119949081
crypto pki certificate chain TP-self-signed-1119949081
certificate self-signed 01
XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
69666963 6174652D 31313139 39343930 3831301E 170D3132 30363135 30343032
30385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 31313939
            quit
dot11 syslog
ip source-route
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.50
ip dhcp pool DHCP_LAN
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.1
   dns-server 61.9.134.49
   lease infinite
ip cef
no ipv6 cef
multilink bundle-name authenticated
object-group network VPN
description ---Port Forward to vpn Turnnel---
host 192.168.2.99
username admin01 privilege 15 secret 5 $1$6pJE$ngWtGp051xpSXLAizsX6B.
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key mypasswordkey address 0.0.0.0 0.0.0.0
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map SDM_DYNMAP_1 1
set transform-set ESP-3DES-SHA
match address 100
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
archive
log config
hidekeys
no ip ftp passive
interface ATM0
description ---Telstra ADSL---
no ip address
no atm ilmi-keepalive
pvc 8/35
tx-ring-limit 3
encapsulation aal5snap
protocol ppp dialer
dialer pool-member 1
dsl operating-mode auto
interface FastEthernet0
interface FastEthernet1
interface FastEthernet2
switchport access vlan 10
shutdown
interface FastEthernet3
interface Vlan1
description ---Ethernet LAN---
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1420
interface Vlan10
ip dhcp relay information trusted
ip dhcp relay information check-reply none
no ip dhcp client request tftp-server-address
no ip dhcp client request netbios-nameserver
no ip dhcp client request vendor-specific
no ip dhcp client request static-route
ip address dhcp
ip nat outside
ip virtual-reassembly
interface Dialer0
description ---ADSL Detail---
ip address negotiated
ip mtu 1460
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1420
dialer pool 1
dialer-group 1
ppp chap hostname [email protected]
ppp chap password 0 mypassword
crypto map SDM_CMAP_1
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip dns server
ip nat inside source static tcp 192.168.2.99 80 interface Dialer0 8000
ip nat inside source static tcp 192.168.2.99 9100 interface Dialer0 9100
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
ip nat inside source route-map SDM_RMAP_2 interface Dialer0 overload
ip access-list extended NAT
remark CCP_ACL Category=16
remark IPSec Rule
deny   ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 any
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 100 remark CCP_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 101 remark CCP_ACL Category=2
access-list 101 remark IPSec Rule
access-list 101 deny   ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 101 permit ip 192.168.2.0 0.0.0.255 any
route-map SDM_RMAP_1 permit 1
match ip address NAT
route-map SDM_RMAP_2 permit 1
match ip address 101
control-plane
line con 0
no modem enable
line aux 0
line vty 0 4
transport input telnet ssh
scheduler max-task-time 5000
end
Your help would be very appreciated!
PS: I know it is easier if i config Site A as the VPN server but in out scenario, we need to access printer from internet over static WAN IP of site A.
Thanks,
Thai

Is there anyone can help please?

Not enough port fields in port forwarding for Linksys E4200

I have always used netgear routers in the past. After a series of issues regarding configurations not working correctly I invested in what appeared to be a semi pro router, the cisco linksys e4200.
I have a centralized server which I use to access a mass of different services such as mail, dns, VPN, FTP, Kerberos, http and many more. While I am not a massive networking nerd, this server setup is like my garage project. To access these services externally to my LAN as far as I understand I would need to configure port forwarding for each service to my server. Unfortunately the control panel for the linksys E4200 only offers about 15 custom port fields for forwarding, and some documentation I have read shows that with it's basic install my server could be using up to 60 ports at once.
Is this router just not suitable for this sort of network. If so I will be very disappointed because I have spent a quarter of the price on netgear routers with more control than this.
If anybody could assist with details and options I would greatly appreciate it

Wrong forum, use "small business routers".

Port Forwarding Twice?

(Also posted in Airport discussions)
I have previously used port forwarding via an AEn to access my Mac Pro while away. I have now installed a Mac mini Server and continue to use the Mac Pro as a client. Port forwarding now directs all incoming requests to the server for e-mail, file sharing, and web services, which I wish to continue. However, I'd also like to continue to access the other box, where I have telephony software installed requiring access to a phone jack (and the Mac mini is in a closet...). Is there a way to to access both the Mac mini Server and the Mac Pro? Thanks.
C.

Hi Charles
Here's how I do it.
First I do not "Port Forward" to my server. I use NAT which sends all default traffic to the server.
I use Port Forwarding to route to other machines.
The internal IP of my server is 10.0.1.253, and I believe that is the default NAT setting on a AE
If you went to www.mydomain.com you would hit my Xserver's web services
If you went to www.mydomain.com:81 you would be directed to the web services on my MacPro.
In Port Mapping I used port 81 as the Public Port, the internal IP of my MacPro of 10.0.1.200, and of course use a private port of 80.
As an example, for one machine I use Public Port 547 for AFP, 5901 for VNC, and 27 for FTP.
Well known" TCP and UDP ports used by Apple software products

Can't open FTP ports in Airport Extreme router

Hi,
I have three computers networked at home with an Airport Extreme serving as a router to the internet. A couple days ago I set up an FTP server on one computer (Ubuntu Linux). It is running properly and I CAN get into the FTP server via the local area IP address (10.0.1.101). However, no matter what I do I can't get the Airport Extreme to forward any FTP connections from outside. I have port forwarding set up correctly and working correctly for echo (7), daytime (13) ssh (22) http (80) nfs (2049) and vnc (5900). However, even though I set ports 20,21 to be forwarded to the correct computer nmap they are NOT open. (nmap doesn't see them, and telnet to ports 20 or 21 is refused. However nmap on the server locally (ie as localhost) shows that these ports ARE open on the server, and ftpd IS running.) Neither of my mac laptops has ftp file sharing turned on in the preferences (not like this should matter anyway). The Airport Extreme just plain does not open or forward anything to ports 20-21.
I also tried putting the FTP server on a different port (2121), but this doesn't work either. Is this just Apple playing nanny and not allowing me to run FTP for my own good? I have been troubleshooting this for two days and no closer to a solution. I hope someone can offer some advice.
Craig

I believe that I've found the problem with the AirPort/Time Capsule (version 7.3.1) support for FTP.
For whatever reason, when an FTP connection comes-in from the WAN, the NAT translation is reporting the IP address of WAN side of the router instead of the IP address of the actual system connecting from the Internet.
I confirmed this by setting up a FTP server on my Linux machine and watching the connection to the FTP server from the internet. When you perform a:
netstat -an | grep ':21 '
from the Linux shell, you see that the IP address that is connected is your own WAN IP address of your AirPort/Time Capsule.
Apparently the AirPort/Time Capsule recognizes the connection is an FTP client and manipulates the connection in such a way as to report the wrong IP address that is connecting to your FTP server.
This isn't a problem, unless you're using /etc/hosts.allow and /etc/hosts.deny to have port wrapper permit only listed IP addresses to have access to the FTP service. In that case, all connections seem to come in from your router's WAN IP address, so there's no way to distinguish where the connection is coming from.
Apple needs to take a closer look at the version 7.3.1 for the Time Capsule (not sure what the version is for the AirPort Extreme) and fix the reported IP address from the WAN side connection.

FTP Port Forwarding

Similar Messages

Maybe you are looking for