https://community.cisco.com/t5/cloud-security/set-up-acl-for-allow-ftp-connection/m-p/4924402#M1757 <P>Hello <a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1594154">@hoquocthienanh</a>,</P><P><SPAN>To successfully establish an FTP session, the active FTP mode of operation uses control <STRONG>port 21</STRONG> and the data <STRONG>port</STRONG> <STRONG>of 20</STRONG>.</SPAN></P><P><SPAN>Also, perhaps your are in Passive mode then serveur answer with the higher port and not port 20.</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot_20230916_120945.jpg" style="width: 1080px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/197451i366017B00567583B/image-size/medium?v=v2&amp;px=400" role="button" title="Screenshot_20230916_120945.jpg" alt="Screenshot_20230916_120945.jpg" /></span></P><P> </P><P>&nbsp;</P> Sat, 16 Sep 2023 10:13:31 GMT M02@rt37 2023-09-16T10:13:31Z https://community.cisco.com/t5/cloud-security/set-up-acl-for-allow-ftp-connection/m-p/4924394#M1756 <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="image_2023-09-16_163318601.png" style="width: 760px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/197450i3560E6E7E2A1B608/image-dimensions/760x435?v=v2" width="760" height="435" role="button" title="image_2023-09-16_163318601.png" alt="image_2023-09-16_163318601.png" /></span></P><P>I have a network diagram as above and was asked to implement the ACL to allow FTP traffic between LAN2 and LAN4, I config my ACL like below:</P><P>access-list 111 permit tcp 10.10.2.0 0.0.0.255 10.10.4.0 0.0.0.255 eq ftp</P><P>access-list 111 permit tcp 10.10.2.0 0.0.0.255 eq 20 10.10.4.0 0.0.0.255</P><P>interface f0/1</P><P>ip access-group 111 in</P><P>After that, I went to CMD of a computer in LAN2 then type in: FTP 10.10.4.0 and get the response: Error opening 10.10.4.0 (timed out)</P><P>I want to ask if my ACL configuration is right and why did I get the timed out response above. Thank you!</P> Sat, 16 Sep 2023 09:39:18 GMT https://community.cisco.com/t5/cloud-security/set-up-acl-for-allow-ftp-connection/m-p/4924394#M1756 hoquocthienanh 2023-09-16T09:39:18Z https://community.cisco.com/t5/cloud-security/set-up-acl-for-allow-ftp-connection/m-p/4924402#M1757 <P>Hello <a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1594154">@hoquocthienanh</a>,</P><P><SPAN>To successfully establish an FTP session, the active FTP mode of operation uses control <STRONG>port 21</STRONG> and the data <STRONG>port</STRONG> <STRONG>of 20</STRONG>.</SPAN></P><P><SPAN>Also, perhaps your are in Passive mode then serveur answer with the higher port and not port 20.</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot_20230916_120945.jpg" style="width: 1080px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/197451i366017B00567583B/image-size/medium?v=v2&amp;px=400" role="button" title="Screenshot_20230916_120945.jpg" alt="Screenshot_20230916_120945.jpg" /></span></P><P> </P><P>&nbsp;</P> Sat, 16 Sep 2023 10:13:31 GMT https://community.cisco.com/t5/cloud-security/set-up-acl-for-allow-ftp-connection/m-p/4924402#M1757 M02@rt37 2023-09-16T10:13:31Z https://community.cisco.com/t5/cloud-security/set-up-acl-for-allow-ftp-connection/m-p/4924405#M1758 <P>I also tried with another config:&nbsp;</P><P>access-list 112 permit tcp 10.10.2.0 0.0.0.255 10.10.4.0 0.0.0.255 eq ftp</P><P>access-list 112 permit tcp 10.10.2.0 0.0.0.255 10.10.4.0 0.0.0.255 gt 1023</P><P>But still got the same result</P> Sat, 16 Sep 2023 10:14:59 GMT https://community.cisco.com/t5/cloud-security/set-up-acl-for-allow-ftp-connection/m-p/4924405#M1758 hoquocthienanh 2023-09-16T10:14:59Z https://community.cisco.com/t5/cloud-security/set-up-acl-for-allow-ftp-connection/m-p/4924412#M1759 <P>Add log to acl and add deny any any log to your acl</P> <P>Let see what happened with acl</P> Sat, 16 Sep 2023 10:27:36 GMT https://community.cisco.com/t5/cloud-security/set-up-acl-for-allow-ftp-connection/m-p/4924412#M1759 MHM Cisco World 2023-09-16T10:27:36Z https://community.cisco.com/t5/cloud-security/set-up-acl-for-allow-ftp-connection/m-p/4924415#M1760 <P>Are you sure about that <a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1594154">@hoquocthienanh</a>&nbsp;?</P><P><SPAN>access-list 112 permit tcp 10.10.2.0 0.0.0.255 10.10.4.0 0.0.0.255 gt 1023</SPAN></P><P>&nbsp;</P> Sat, 16 Sep 2023 10:30:39 GMT https://community.cisco.com/t5/cloud-security/set-up-acl-for-allow-ftp-connection/m-p/4924415#M1760 M02@rt37 2023-09-16T10:30:39Z https://community.cisco.com/t5/cloud-security/set-up-acl-for-allow-ftp-connection/m-p/4924429#M1761 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1594154">@hoquocthienanh</a>&nbsp;</P><P>Refer here also</P><P><A href="https://community.cisco.com/t5/networking-knowledge-base/how-to-configure-acl-to-permit-ftp-traffic/ta-p/3130782" target="_blank">https://community.cisco.com/t5/networking-knowledge-base/how-to-configure-acl-to-permit-ftp-traffic/ta-p/3130782</A></P> Sat, 16 Sep 2023 11:04:19 GMT https://community.cisco.com/t5/cloud-security/set-up-acl-for-allow-ftp-connection/m-p/4924429#M1761 M02@rt37 2023-09-16T11:04:19Z https://community.cisco.com/t5/cloud-security/set-up-acl-for-allow-ftp-connection/m-p/4924434#M1762 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1594154">@hoquocthienanh</a></P><P>I tried the same scenario and configuations in Cisco Packet tracer&nbsp;</P><P>Its working fine...!!</P><P>I think....it's because some limitations with gns3</P><P>Thanks</P><P>Gopinath</P> Sat, 16 Sep 2023 11:30:27 GMT https://community.cisco.com/t5/cloud-security/set-up-acl-for-allow-ftp-connection/m-p/4924434#M1762 Blue_Bird 2023-09-16T11:30:27Z