topic ACL allowing internal clients access to outside FTP data on cisc in Network Security https://community.cisco.com/t5/network-security/acl-allowing-internal-clients-access-to-outside-ftp-data-on/m-p/2202102#M358844 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>Hey man my pleasure,</P><P></P><P>Remember to rate all of the helpful posts and can you mark the question as answered?</P><P></P><P>Regards</P></BODY></HTML> Fri, 05 Apr 2013 19:59:03 GMT Julio Carvajal 2013-04-05T19:59:03Z ACL allowing internal clients access to outside FTP data on cisco 3750 https://community.cisco.com/t5/network-security/acl-allowing-internal-clients-access-to-outside-ftp-data-on/m-p/2202097#M358839 <P>Hi,</P><P></P><P>I have this ACL on a cisco 3750 for allowing internal clients to access outside&nbsp; FTP&nbsp; servers, and I am concerned about the security hole that the last statement it might create:</P><P></P><P>access-list 111 permit tcp 10.100.111.0 0.0.0.255 gt 1023 any eq ftp</P><P>access-list 111 permit tcp 10.100.111.0 0.0.0.255 gt 1023 any eq ftp-data</P><P><STRONG>access-list 111 permit tcp 10.100.111.0 0.0.0.255 gt 1023 any gt 1023</STRONG></P><P></P><P>This is the only way I could get internal clients to access FTP data outside&nbsp; the network/Internet.</P><P></P><P>The access-list is applied <STRONG>inbound</STRONG> on the <STRONG>VLAN interface</STRONG> on the 3750.</P><P></P><P>Will this expose clients to a security risk?</P><P></P><P>Thank you.</P> Tue, 12 Mar 2019 01:24:12 GMT https://community.cisco.com/t5/network-security/acl-allowing-internal-clients-access-to-outside-ftp-data-on/m-p/2202097#M358839 iosepmonica 2019-03-12T01:24:12Z ACL allowing internal clients access to outside FTP data on cisc https://community.cisco.com/t5/network-security/acl-allowing-internal-clients-access-to-outside-ftp-data-on/m-p/2202098#M358840 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>So this is applied on the internal interface right?? </P><P></P><P>What FTP mode are you running, if it's passive where the client innitiates both connectionns Control and data channel then you must have it like that... I mean it will not expose as this is traffic from your clients to the outside, not from outside to inside.. You follow me</P><P></P><P>Why don't you restrict traffic on the interface that is next to the outside world?</P><P></P><P>Regards,</P></BODY></HTML> Fri, 05 Apr 2013 18:19:40 GMT https://community.cisco.com/t5/network-security/acl-allowing-internal-clients-access-to-outside-ftp-data-on/m-p/2202098#M358840 Julio Carvajal 2013-04-05T18:19:40Z ACL allowing internal clients access to outside FTP data on cisc https://community.cisco.com/t5/network-security/acl-allowing-internal-clients-access-to-outside-ftp-data-on/m-p/2202099#M358841 <HTML><HEAD></HEAD><BODY><P>Correct, this is applied on the internal interface, and it is for internal clients accessing FTP servers on the Internet mostly.</P><P></P><P>In a typical environment, I would do this on a firewall, but in this particular case, this client wants it on the internal L3 switch. This switch has an interface that connects to a gateway for Internet access. </P><P>No connections initiated from outside to the internal clients are allowed at all, and the traffic going to the Internet only includes FTP, NTP and DNS.</P></BODY></HTML> Fri, 05 Apr 2013 18:43:42 GMT https://community.cisco.com/t5/network-security/acl-allowing-internal-clients-access-to-outside-ftp-data-on/m-p/2202099#M358841 iosepmonica 2013-04-05T18:43:42Z ACL allowing internal clients access to outside FTP data on cisc https://community.cisco.com/t5/network-security/acl-allowing-internal-clients-access-to-outside-ftp-data-on/m-p/2202100#M358842 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>Yes, so that would be the only way to make it happen as you will need some sort of inspection in order to open the right pinholes for the outgoing Data channel,</P><P></P><P>but if everything for out to in is being denied you should be good to go</P><P></P><P>Regards,</P><P></P><P>Remember to rate all of the helpful posts</P><P></P><P>Julio Carvajal Segura</P></BODY></HTML> Fri, 05 Apr 2013 19:39:34 GMT https://community.cisco.com/t5/network-security/acl-allowing-internal-clients-access-to-outside-ftp-data-on/m-p/2202100#M358842 Julio Carvajal 2013-04-05T19:39:34Z ACL allowing internal clients access to outside FTP data on cisc https://community.cisco.com/t5/network-security/acl-allowing-internal-clients-access-to-outside-ftp-data-on/m-p/2202101#M358843 <HTML><HEAD></HEAD><BODY><P>Thank you very much!</P></BODY></HTML> Fri, 05 Apr 2013 19:51:52 GMT https://community.cisco.com/t5/network-security/acl-allowing-internal-clients-access-to-outside-ftp-data-on/m-p/2202101#M358843 iosepmonica 2013-04-05T19:51:52Z ACL allowing internal clients access to outside FTP data on cisc https://community.cisco.com/t5/network-security/acl-allowing-internal-clients-access-to-outside-ftp-data-on/m-p/2202102#M358844 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>Hey man my pleasure,</P><P></P><P>Remember to rate all of the helpful posts and can you mark the question as answered?</P><P></P><P>Regards</P></BODY></HTML> Fri, 05 Apr 2013 19:59:03 GMT https://community.cisco.com/t5/network-security/acl-allowing-internal-clients-access-to-outside-ftp-data-on/m-p/2202102#M358844 Julio Carvajal 2013-04-05T19:59:03Z