Question : Filezilla FTP between 2 sites behind Cisco 878 firewall

Hi,
I am having a problem with a FTP connection between 2 sites. Am using Filezilla client to connect to Filezilla server at main site. Both sites are behind a Cisco 878 firewall router. The client can connect on port 5656, accepts username/password, but fails to get a data connections. See log below on client Filezilla.
Status:      Connecting to 125.255.97.6:5656...
Status:      Connection established, waiting for welcome message...
Response:      220-FileZilla Server version 0.9.32 beta
Response:      220-written by Tim Kosse ([email protected])
Response:      220 Please visit http://sourceforge.net/projects/filezilla/
Command:      USER *******
Response:      331 Password required for *******
Command:      PASS *********
Response:      230 Logged on
Status:      Connected
Status:      Retrieving directory listing...
Command:      PWD
Response:      257 "/" is current directory.
Command:      TYPE I
Response:      200 Type set to I
Command:      PASV
Response:      227 Entering Passive Mode (125,255,97,6,195,112)
Command:      MLSD
Response:      425 Can't open data connection.
Error:      Failed to retrieve directory listing
Response:      421 Connection timed out.
Error:      Connection closed by server
The Filezilla server is listening on port 5656, and i have got port forwarding on main sites router for port 5656 to go to internal Filezilla server pc. Within Filezilla server passive mode settings, have put in external server IP address, and am using a custom port range from 50000-51000.
I have tried to put in these port ranges into main site Cisco router firewall through SDM, but am still getting same error. Have also tried adding in the command:
access-list 101 permit tcp any host 192.168.10.33 range 50000 51000 (which is the Filezilla server IP) without any luck.
Also, is there any configuring i need to do on the client side Cisco firewall? Both sites have a VPN between them. Any help would be greatly appreciated.
Regards,
sheproc

Code Snippet:

1: 2: 3: 4: 5: 6: 7: 8: 9: 10: 11: 12: 13: 14: 15: 16: 17: 18: 19: 20: 21: 22: 23: 24: 25: 26: 27: 28: 29: 30: 31: 32: 33: 34: 35: 36: 37: 38: 39: 40: 41: 42: 43: 44: 45: 46: 47: 48: 49: 50: 51: 52: 53: 54: 55: 56: 57: 58: 59: 60: 61: 62: 63: 64: 65: 66: 67: 68: 69: 70: 71: 72: 73: 74: 75: 76: 77: 78: 79: 80: 81: 82: 83: 84: 85: 86: 87: 88: 89: 90: 91: 92: 93: 94: 95: 96: 97: 98: 99: 100: 101: 102: 103: 104: 105: 106: 107: 108: 109: 110: 111: 112: 113: 114: 115: 116: 117: 118: 119: 120: 121: 122: 123: 124: 125: 126: 127: 128: 129: 130: 131: 132: 133: 134: 135: 136: 137: 138: 139: 140: 141: 142: 143: 144: 145: 146: 147: 148: 149: 150: 151: 152: 153: 154: 155: 156: 157: 158: 159: 160: 161: 162: 163: 164: 165: 166: 167: 168: 169: 170: 171: 172: 173: 174: 175: 176: 177: 178: 179: 180: 181: 182: 183: 184: 185: 186: 187: 188: 189: 190: 191: 192: 193: 194: 195: 196: 197: 198: 199: 200: 201: 202: 203: 204: 205: 206: 207: 208: 209: 210: 211: 212: 213: 214: 215: 216: 217: 218: 219: 220: 221: 222: 223: 224: 225: 226: 227: 228: 229: 230: 231: 232: 233: 234: 235: 236: 237: 238: 239: 240: 241: 242: 243: 244: 245: 246: 247: 248: 249: 250: 251: 252: 253: 254: 255: 256: 257: 258: 259: 260: 261: 262: 263: 264: 265: 266: 267: 268: 269: 270: 271: 272: 273: 274: 275: 276: 277: 278: 279: 280: 281: 282: 283: 284: 285: 286: 287: 288: 289: 290: 291: 292: 293: 294: 295: 296: 297: 298: 299: 300: 301: 302: 303: 304: 305: 306: 307: 308: 309: 310: 311: 312: 313: 314: 315: 316: 317: 318: 319: 320: 321: 322: 323: 324: 325: 326: 327: 328: 329: 330: 331: 332: 333: 334: 335: 336: 337: 338: 339: 340: 341: 342: 343: 344: 345: 346: 347: 348: 349: 350: 351: 352: 353: 354: 355: 356: 357: 358: 359: 360: 361: 362: 363: 364: 365: 366: 367: 368: 369: 370: 371: 372: 373: 374: 375: 376: 377: 378: 379: 380: 381: 382: 383: 384: 385: 386: 387: 388: 389: 390: 391: 392: 393: 394: 395: 396: 397: 398: 399: 400: 401: 402: 403: 404: 405: 406: 407: 408: 409: 410: 411: 412: 413: 414: 415: 416: 417: 418: 419: 420: 421: 422: 423: 424: 425: 426: 427: 428: 429: 430: 431: 432: 433: 434: 435: 436: 437: 438: 439: 440: 441: 442: 443: 444: 445: 446: 447: 448:

Running config from main site router: Building configuration... Current configuration : 16217 bytes ! version 12.4 no service pad service timestamps debug uptime service timestamps log uptime service password-encryption ! hostname JDA-Router ! boot-start-marker boot-end-marker ! logging buffered 52000 debugging enable secret 5 $1$t5vI$wpuC4CmPH8pDO9fhYsp1x. ! aaa new-model ! ! aaa authentication login default enable aaa authentication login sdm_vpn_xauth_ml_1 local aaa authentication login LOCALUSERS local aaa authorization network sdm_vpn_group_ml_1 local ! aaa session-id common ! resource policy ! ip cef ! ! no ip dhcp use vrf connected ip dhcp excluded-address 192.168.1.1 192.168.1.99 ip dhcp excluded-address 192.168.1.150 192.168.1.254 ip dhcp excluded-address 192.168.10.1 192.168.10.99 ip dhcp excluded-address 192.168.10.150 192.168.10.254 ! ip dhcp pool CLIENT network 192.168.1.0 255.255.255.0 default-router 192.168.1.1 dns-server 210.23.129.34 61.8.0.113 netbios-node-type h-node ! ip dhcp pool Pool import all network 192.168.10.0 255.255.255.0 dns-server 61.8.0.113 210.23.129.34 default-router 192.168.10.25 ! ! ip domain name jda.com.au ip name-server 61.8.0.113 ip name-server 210.23.129.34 ip ssh authentication-retries 5 ip ssh version 2 ip inspect name SDM_LOW cuseeme ip inspect name SDM_LOW dns ip inspect name SDM_LOW h323 ip inspect name SDM_LOW https ip inspect name SDM_LOW icmp ip inspect name SDM_LOW imap ip inspect name SDM_LOW pop3 ip inspect name SDM_LOW netshow ip inspect name SDM_LOW rcmd ip inspect name SDM_LOW realaudio ip inspect name SDM_LOW rtsp ip inspect name SDM_LOW esmtp ip inspect name SDM_LOW sqlnet ip inspect name SDM_LOW streamworks ip inspect name SDM_LOW tcp ip inspect name SDM_LOW udp ip inspect name SDM_LOW vdolive ip inspect name SDM_LOW ftp ip inspect name SDM_LOW tftp ip inspect name SDM_LOW h323callsigalt ip inspect name SDM_LOW h323gatestat ip inspect name SDM_LOW skinny ip inspect name SDM_LOW sip ip inspect name SDM_LOW sip-tls ip inspect name SDM_LOW isakmp ip inspect name SDM_LOW ipsec-msft ip inspect name VPN microsoft-ds ip inspect name VPN ms-cluster-net ip inspect name VPN ms-dotnetster ip inspect name VPN ms-sna ip inspect name VPN ms-sql ip inspect name VPN ms-sql-m ip inspect name VPN msexch-routing ip inspect name VPN netbios-dgm ip inspect name VPN netbios-ssn ip inspect name VPN r-winsock ip inspect name VPN clp ip inspect name VPN cisco-net-mgmt ip inspect name VPN cisco-sys ip inspect name VPN cisco-tna ip inspect name VPN cisco-fna ip inspect name VPN cisco-tdp ip inspect name VPN cisco-svcs ip inspect name VPN stun ip inspect name VPN tr-rsrb ip inspect name VPN exec ip inspect name VPN telnet ip inspect name VPN telnets ip inspect name VPN rtelnet ip inspect name VPN login ip inspect name VPN rcmd ip inspect name VPN ssh ip inspect name VPN shell ip inspect name VPN sshell ip inspect name VPN pcanywheredata ip inspect name VPN pcanywherestat ip inspect name VPN x11 ip inspect name VPN xdmcp ! ! crypto pki trustpoint TP-self-signed-807282283 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-807282283 revocation-check none rsakeypair TP-self-signed-807282283 ! ! crypto pki certificate chain TP-self-signed-807282283 certificate self-signed 01 3082024B 308201B4 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274 69666963 6174652D 38303732 38323238 33301E17 0D303230 33313530 39333633 375A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F 532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3830 37323832 32383330 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100 9819313F E60F14E5 30E08834 807912E5 82D459A8 089106D9 08AB61A1 FA2BBD7C 61782251 FA3A9236 9424C0A2 1231B4AC 4E6B01D3 0E150CE7 B460EE5A 94B6C22E 10CF050E 76E8AD99 49F3AB0F EDF3C896 25F9FEA6 FB12000F D39061E0 ACD0FB01 EB1FCDA1 B2609269 7C902EAB A5C61D69 A8206D0A AD3E6E40 DAB44E64 CEBF17A5 02030100 01A37530 73300F06 03551D13 0101FF04 05300301 01FF3020 0603551D 11041930 1782154A 44412D52 6F757465 722E6A64 612E636F 6D2E6175 301F0603 551D2304 18301680 142DB095 79871311 36F26FFB 82D506DF 504BF605 93301D06 03551D0E 04160414 2DB09579 87131136 F26FFB82 D506DF50 4BF60593 300D0609 2A864886 F70D0101 04050003 81810088 A897CF69 8F4A4623 CC334F31 C4D7BD80 306DC79D 49EAD421 E0D58EB5 D10C164C 3F8D7016 BA54AB9E 70EEE7BC 27426716 54EEE929 ABA25658 2553D566 B76EB9F7 8CB0847C B1C96331 36FF69DF A670E01C 5458CDC5 FDCCCF56 822A8E07 A139985E 9B09DEF2 F46261EE D3753A18 95746CDE FBC4E1AE 91DF5402 892EADE1 0D7C63 quit username ************** privilege 15 password 7 0314580E070E315E48 username ************* privilege 15 password 7 060D073514 ! ! controller DSL 0 mode atm line-term cpe line-mode 2-wire line-zero dsl-mode shdsl symmetric annex B line-rate auto ! ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 crypto isakmp key 79f5f9f598 address 125.255.97.70 crypto isakmp key 79f5f9f598 address 125.255.97.58 crypto isakmp key 79F5F9F598 address 125.255.97.46 crypto isakmp key 79f5f9f598 address 125.255.97.66 crypto isakmp key 79F5F9F598 address 125.255.98.86 crypto isakmp keepalive 10 periodic ! ! crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac crypto ipsec transform-set ESP-3DES-SHA3 esp-3des esp-sha-hmac crypto ipsec transform-set ESP-3DES-SHA4 esp-3des esp-sha-hmac crypto ipsec transform-set ESP-3DES-SHA5 esp-3des esp-sha-hmac crypto ipsec transform-set ESP-3DES-SHA6 esp-3des esp-sha-hmac crypto ipsec transform-set ESP-3DES-SHA7 esp-3des esp-sha-hmac crypto ipsec df-bit clear ! crypto map SDM_CMAP_1 1 ipsec-isakmp description Liverpool VPN tunnel set peer 125.255.97.70 set transform-set ESP-3DES-SHA match address 102 crypto map SDM_CMAP_1 2 ipsec-isakmp set peer 125.255.97.58 set transform-set ESP-3DES-SHA2 match address 104 crypto map SDM_CMAP_1 5 ipsec-isakmp set peer 125.255.97.46 set transform-set ESP-3DES-SHA match address 109 crypto map SDM_CMAP_1 6 ipsec-isakmp set peer 125.255.98.86 set transform-set ESP-3DES-SHA7 match address 111 ! bridge irb ! ! ! interface BRI0 no ip address encapsulation hdlc shutdown ! interface ATM0 description Nextep SHDSL no ip address atm ilmi-keepalive pvc 0/33 encapsulation aal5snap ! pvc 1/32 encapsulation aal5snap ! bridge-group 1 ! interface FastEthernet0 ! interface FastEthernet1 ! interface FastEthernet2 ! interface FastEthernet3 ! interface Vlan1 description $FW_INSIDE$ ip address 192.168.10.25 255.255.255.0 ip access-group 100 in ip nat inside ip virtual-reassembly ! interface BVI1 description $FW_OUTSIDE$ ip address 125.255.97.6 255.255.255.252 ip access-group 101 in ip verify unicast reverse-path ip nat outside ip inspect SDM_LOW out ip virtual-reassembly crypto map SDM_CMAP_1 ! ip local pool SDM_POOL_1 192.168.10.150 192.168.10.199 ip route 0.0.0.0 0.0.0.0 BVI1 ! ! ip http server ip http authentication local ip http secure-server ip http timeout-policy idle 600 life 86400 requests 10000 ip nat inside source static tcp 192.168.10.33 4000 interface BVI1 4000 ip nat inside source static tcp 192.168.10.202 3456 interface BVI1 3456 ip nat inside source static tcp 192.168.10.60 3434 interface BVI1 3434 ip nat inside source static tcp 192.168.10.30 4444 interface BVI1 4444 ip nat inside source route-map SDM_RMAP_1 interface BVI1 overload ip nat inside source static tcp 192.168.10.119 3389 interface BVI1 3389 ip nat inside source static tcp 192.168.10.119 6502 interface BVI1 6502 ip nat inside source static tcp 192.168.10.144 3399 interface BVI1 3399 ip nat inside source static tcp 192.168.10.33 5656 interface BVI1 5656 ip nat inside source static tcp 192.168.10.33 50000 interface BVI1 50000 ip nat inside source static tcp 192.168.10.14 20 125.255.97.6 20 extendable ip nat inside source static tcp 192.168.10.14 21 125.255.97.6 21 extendable ip nat inside source static udp 192.168.10.14 69 125.255.97.6 69 extendable ip nat inside source static tcp 192.168.10.14 3333 125.255.97.6 3333 extendable ip nat inside source static tcp 192.168.10.251 3390 125.255.97.6 3390 extendable ip nat inside source static tcp 192.168.10.252 3391 125.255.97.6 3391 extendable ip nat inside source static tcp 192.168.10.253 3392 125.255.97.6 3392 extendable ! access-list 1 remark SDM_ACL Category=16 access-list 1 permit 192.168.0.0 0.0.255.255 access-list 10 permit 61.8.0.68 access-list 10 permit 61.8.0.70 access-list 10 permit 61.8.0.67 access-list 10 permit 125.255.97.5 access-list 10 permit 192.168.0.0 0.0.255.255 access-list 100 remark auto generated by SDM firewall configuration access-list 100 remark SDM_ACL Category=1 access-list 100 permit ip 125.255.97.4 0.0.0.3 any access-list 100 permit tcp any any eq ftp access-list 100 remark Inbound, Vlan, to deny spoofing access-list 100 deny ip host 255.255.255.255 any access-list 100 remark Inbound, Vlan, deny broadcast local loopback access-list 100 deny ip 127.0.0.0 0.255.255.255 any access-list 100 remark Inbound, Vlan, permit all other traffic access-list 100 permit ip any any access-list 101 remark auto generated by SDM firewall configuration access-list 101 remark SDM_ACL Category=1 access-list 101 remark IPSec Rule access-list 101 permit ip 192.168.8.0 0.0.0.255 192.168.10.0 0.0.0.255 access-list 101 permit udp host 125.255.98.86 host 125.255.97.6 eq non500-isakmp access-list 101 permit udp host 125.255.98.86 host 125.255.97.6 eq isakmp access-list 101 permit esp host 125.255.98.86 host 125.255.97.6 access-list 101 permit ahp host 125.255.98.86 host 125.255.97.6 access-list 101 remark IPSec Rule CharlieChans access-list 101 permit ip 192.168.4.0 0.0.0.255 192.168.10.0 0.0.0.255 access-list 101 remark CharlieChans VPN access-list 101 permit udp host 125.255.97.46 host 125.255.97.6 eq non500-isakmp access-list 101 remark CharlieChans VPN access-list 101 permit udp host 125.255.97.46 host 125.255.97.6 eq isakmp access-list 101 remark CharlieChans VPN access-list 101 permit esp host 125.255.97.46 host 125.255.97.6 access-list 101 remark CharlieChans VPN access-list 101 permit ahp host 125.255.97.46 host 125.255.97.6 access-list 101 remark IPSec Rule Allawah access-list 101 permit ip 192.168.0.0 0.0.0.255 192.168.10.0 0.0.0.255 access-list 101 remark Allawah VPN access-list 101 permit udp host 125.255.97.58 host 125.255.97.6 eq non500-isakmp access-list 101 remark Allawah VPN access-list 101 permit udp host 125.255.97.58 host 125.255.97.6 eq isakmp access-list 101 remark Allawah VPN access-list 101 permit esp host 125.255.97.58 host 125.255.97.6 access-list 101 remark Allawah VPN access-list 101 permit ahp host 125.255.97.58 host 125.255.97.6 access-list 101 remark IPSec Rule Legends access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.10.0 0.0.0.255 access-list 101 remark Legends VPN access-list 101 permit udp host 125.255.97.70 host 125.255.97.6 eq non500-isakmp access-list 101 remark Legends VPN access-list 101 permit udp host 125.255.97.70 host 125.255.97.6 eq isakmp access-list 101 remark Legends VPN access-list 101 permit esp host 125.255.97.70 host 125.255.97.6 access-list 101 remark Legends VPN access-list 101 permit ahp host 125.255.97.70 host 125.255.97.6 access-list 101 remark ServerRDP access-list 101 permit tcp any host 125.255.97.6 eq 3333 access-list 101 remark JohnRDP access-list 101 permit tcp any host 125.255.97.6 eq 3390 access-list 101 remark DeanRDP access-list 101 permit tcp any host 125.255.97.6 eq 3391 access-list 101 remark Abbey RDP access-list 101 permit tcp any host 125.255.97.6 eq 3392 access-list 101 remark BePOZ server access-list 101 permit tcp any host 125.255.97.6 eq 3389 access-list 101 remark BePOZ access-list 101 permit tcp any host 125.255.97.6 eq 6502 access-list 101 remark Terminal server RDP access-list 101 permit tcp any host 125.255.97.6 eq 4444 access-list 101 remark StaceRDP access-list 101 permit tcp any host 125.255.97.6 eq 3434 access-list 101 remark DebraRDP access-list 101 permit tcp any host 125.255.97.6 eq 3456 access-list 101 remark SBS2008RDP access-list 101 permit tcp any host 125.255.97.6 eq 4000 access-list 101 remark SandraRDP access-list 101 permit tcp any host 125.255.97.6 eq 3399 access-list 101 remark FileZillaFTP access-list 101 permit tcp any host 125.255.97.6 eq 5656 access-list 101 remark PING access-list 101 permit tcp any eq echo any eq echo access-list 101 remark PING access-list 101 permit icmp any any access-list 101 remark FTP access-list 101 permit tcp any any eq ftp access-list 101 remark DNS resolution access-list 101 permit udp any eq domain any eq domain access-list 101 remark DNS access-list 101 permit ip host 210.23.129.34 host 125.255.97.6 access-list 101 remark DNS access-list 101 permit ip host 61.8.0.113 host 125.255.97.6 access-list 101 remark Prevent broadcasts access-list 101 deny ip 192.168.10.0 0.0.0.255 any access-list 101 remark PING access-list 101 permit icmp any host 125.255.97.6 echo-reply access-list 101 remark PING access-list 101 permit icmp any host 125.255.97.6 time-exceeded access-list 101 remark TFTP access-list 101 permit udp any eq tftp any eq tftp access-list 101 permit tcp any host 125.255.97.6 eq 443 access-list 101 permit tcp any host 125.255.97.6 eq 22 access-list 101 permit tcp any host 125.255.97.6 eq cmd access-list 101 deny ip 10.0.0.0 0.255.255.255 any access-list 101 deny ip 172.16.0.0 0.15.255.255 any access-list 101 deny ip 127.0.0.0 0.255.255.255 any access-list 101 deny ip host 255.255.255.255 any access-list 101 deny ip host 0.0.0.0 any access-list 101 deny ip any any log access-list 101 permit tcp any host 192.168.10.33 range 50000 51000 access-list 102 remark SDM_ACL Category=4 access-list 102 remark IPSec Rule access-list 102 permit ip 192.168.10.0 0.0.0.255 192.168.2.0 0.0.0.255 access-list 103 remark SDM_ACL Category=2 access-list 103 remark IPSec Rule access-list 103 deny ip 192.168.10.0 0.0.0.255 192.168.8.0 0.0.0.255 access-list 103 remark IPSec Rule access-list 103 deny ip 192.168.10.0 0.0.0.255 192.168.4.0 0.0.0.255 access-list 103 remark IPSec Rule access-list 103 deny ip 192.168.10.0 0.0.0.255 192.168.0.0 0.0.0.255 access-list 103 remark IPSec Rule access-list 103 deny ip 192.168.10.0 0.0.0.255 192.168.2.0 0.0.0.255 access-list 103 permit ip 192.168.0.0 0.0.255.255 any access-list 104 remark SDM_ACL Category=4 access-list 104 remark IPSec Rule access-list 104 permit ip 192.168.10.0 0.0.0.255 192.168.0.0 0.0.0.255 access-list 105 remark SDM_ACL Category=4 access-list 105 remark IPSec Rule access-list 105 permit ip 192.168.10.0 0.0.0.255 192.168.4.0 0.0.0.255 access-list 106 remark SDM_ACL Category=4 access-list 106 remark IPSec Rule access-list 106 permit ip 192.168.10.0 0.0.0.255 192.168.5.0 0.0.0.255 access-list 107 remark SDM_ACL Category=4 access-list 107 remark IPSec Rule access-list 107 permit ip 192.168.10.0 0.0.0.255 192.168.4.0 0.0.0.255 access-list 108 remark SDM_ACL Category=4 access-list 108 remark IPSec Rule access-list 108 permit ip 192.168.10.0 0.0.0.255 192.168.4.0 0.0.0.255 access-list 109 remark SDM_ACL Category=4 access-list 109 remark IPSec Rule access-list 109 permit ip 192.168.10.0 0.0.0.255 192.168.4.0 0.0.0.255 access-list 110 remark SDM_ACL Category=4 access-list 110 remark IPSec Rule access-list 110 permit ip 192.168.10.0 0.0.0.255 192.168.8.0 0.0.0.255 access-list 111 remark SDM_ACL Category=4 access-list 111 remark IPSec Rule access-list 111 permit ip 192.168.10.0 0.0.0.255 192.168.8.0 0.0.0.255 ! ! ! route-map SDM_RMAP_1 permit 1 match ip address 103 ! ! control-plane ! bridge 1 protocol ieee bridge 1 route ip ! line con 0 exec-timeout 120 0 login authentication LOCALUSERS no modem enable no exec transport output ssh stopbits 1 line aux 0 transport output all line vty 0 4 access-class 10 in exec-timeout 0 0 privilege level 15 length 0 transport input telnet transport output all ! scheduler max-task-time 5000 end

Open in New Window

Select All

Answer : Filezilla FTP between 2 sites behind Cisco 878 firewall

After trying the above posts, i seemed to run into more hassles (namely regular FTP to a second server had stopped, and had been working prior to trying solutions). As a result, i have resorted back to original configuration and am using Robocopy to transfer FTP data between 2 servers. Thank you all who helped with this problem.
Regards,
sheproc