https://community.cisco.com/t5/application-networking/block-traffic-while-allowing-passive-ftp/m-p/378808#M6587 <HTML><HEAD></HEAD><BODY><P>Thank you. That's the last piece of the puzzle.</P><P></P><P>-Mark</P></BODY></HTML> Mon, 13 Dec 2004 23:05:56 GMT mromer 2004-12-13T23:05:56Z https://community.cisco.com/t5/application-networking/block-traffic-while-allowing-passive-ftp/m-p/378805#M6584 <P>We've got two subnets sitting behind a redundant pair of CSS 11050's. I need to block traffic between the two subnets (one contains our stuff, and the other contains stuff we're hosting for another company). I can use an ACL to do this, but it seems that any sort of ACL will prevent servers on either subnet from making outbound passive FTP connections.</P><P></P><P>Ref: "Understanding and Configuring FTP on the CSS 11000"</P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/customer/products/hw/contnetw/ps789/products_tech_note09186a0080093de6.shtml" target="_blank">http://www.cisco.com/en/US/customer/products/hw/contnetw/ps789/products_tech_note09186a0080093de6.shtml</A></P><P></P><P>Each subnet is on a separate VLAN on the CSS, with a third VLAN for the uplink to the PIX firewall. All traffic between VLANs is bridged through the CSS--no one-arm setups.</P><P></P><P>Is there any way I can prevent communication between the two internal VLANs while allowing outbound passive FTP from each?</P> Mon, 13 Dec 2004 21:35:12 GMT https://community.cisco.com/t5/application-networking/block-traffic-while-allowing-passive-ftp/m-p/378805#M6584 mromer 2004-12-13T21:35:12Z https://community.cisco.com/t5/application-networking/block-traffic-while-allowing-passive-ftp/m-p/378806#M6585 <HTML><HEAD></HEAD><BODY><P>Looks like I panicked too soon. The problem appears to only come up if I NAT across the CSS. If I don't NAT, I can do outbound passive FTP and still keep the ACL in place.</P></BODY></HTML> Mon, 13 Dec 2004 22:31:16 GMT https://community.cisco.com/t5/application-networking/block-traffic-while-allowing-passive-ftp/m-p/378806#M6585 mromer 2004-12-13T22:31:16Z https://community.cisco.com/t5/application-networking/block-traffic-while-allowing-passive-ftp/m-p/378807#M6586 <HTML><HEAD></HEAD><BODY><P>You can do this by using ACL's and Source Groups separately (i.e. - don't use an ACL to map traffic into a Source Group). Ex:</P><P></P><P>VLAN10 = 10.10.10.0/24</P><P>Services: VLAN10-1, VLAN10-2</P><P></P><P>VLAN11 = 10.10.11.0/24</P><P>Services: VLAN11-1, VLAN11-2</P><P></P><P>!--Write some ACL's to block traffic</P><P>acl 10</P><P>clause 5 deny any 10.10.10.0 255.255.255.0 destination 10.10.11.0 255.255.255.0</P><P>clause 10 permit any any destination any</P><P>apply circuit-(VLAN10)</P><P></P><P>acl 11</P><P>clause 5 deny any 10.10.11.0 255.255.255.0 destination 10.10.10.0 255.255.255.0</P><P>clause 10 permit any any destination any</P><P>apply circuit-(VLAN11)</P><P></P><P>!--Create some src groups to NAT outbound traffic</P><P>group VLAN10</P><P>vip address x.x.x.x</P><P>add service VLAN10-1</P><P>add service VLAN10-2</P><P>active</P><P></P><P>group VLAN11</P><P>vip address y.y.y.y</P><P>add service VLAN11-1</P><P>add service VLAN11-2</P><P>active</P><P></P><P>~Zach</P><P></P></BODY></HTML> Mon, 13 Dec 2004 22:48:03 GMT https://community.cisco.com/t5/application-networking/block-traffic-while-allowing-passive-ftp/m-p/378807#M6586 seilsz 2004-12-13T22:48:03Z https://community.cisco.com/t5/application-networking/block-traffic-while-allowing-passive-ftp/m-p/378808#M6587 <HTML><HEAD></HEAD><BODY><P>Thank you. That's the last piece of the puzzle.</P><P></P><P>-Mark</P></BODY></HTML> Mon, 13 Dec 2004 23:05:56 GMT https://community.cisco.com/t5/application-networking/block-traffic-while-allowing-passive-ftp/m-p/378808#M6587 mromer 2004-12-13T23:05:56Z https://community.cisco.com/t5/application-networking/block-traffic-while-allowing-passive-ftp/m-p/378809#M6588 <HTML><HEAD></HEAD><BODY><P>Hi Mark,</P><P></P><P>It also looks like the behavior described in the document you referenced (not being able to use an ACL to assign ftp pasv traffic to a src group) was the result of a bug (id CSCdv02486). This was fixed in the 04.01.046, 05.00.021 and 05.01.010 code trains.</P><P></P><P>~Zach</P></BODY></HTML> Mon, 13 Dec 2004 23:39:47 GMT https://community.cisco.com/t5/application-networking/block-traffic-while-allowing-passive-ftp/m-p/378809#M6588 seilsz 2004-12-13T23:39:47Z https://community.cisco.com/t5/application-networking/block-traffic-while-allowing-passive-ftp/m-p/378810#M6589 <HTML><HEAD></HEAD><BODY><P>Well, that's interesting. I'm using 6.10.304 on the CSS.</P><P></P><P>Thanks again for your help.</P><P>-Mark</P></BODY></HTML> Tue, 14 Dec 2004 14:37:05 GMT https://community.cisco.com/t5/application-networking/block-traffic-while-allowing-passive-ftp/m-p/378810#M6589 mromer 2004-12-14T14:37:05Z