https://community.cisco.com/t5/network-security/acl-on-2851-router/m-p/823478#M973647 <P>Hi have problems with my ACL, I cannot get passive ftp to work. I can log in but I cannot see any folders inside the FTP site. In active mode there is no problem. The interface has static translation for the FTP server. Here is the ACL. Can anyone help? Thanks</P><P></P><P>access-list 112 permit tcp any host x.x.x.x eq ftp</P><P>access-list 112 permit tcp any host x.x.x.x eq ftp-data</P><P>access-list 112 permit tcp any eq ftp-data host x.x.x.x gt 1024</P><P></P><P></P><P></P> Mon, 11 Mar 2019 11:24:55 GMT bsudol79p 2019-03-11T11:24:55Z https://community.cisco.com/t5/network-security/acl-on-2851-router/m-p/823478#M973647 <P>Hi have problems with my ACL, I cannot get passive ftp to work. I can log in but I cannot see any folders inside the FTP site. In active mode there is no problem. The interface has static translation for the FTP server. Here is the ACL. Can anyone help? Thanks</P><P></P><P>access-list 112 permit tcp any host x.x.x.x eq ftp</P><P>access-list 112 permit tcp any host x.x.x.x eq ftp-data</P><P>access-list 112 permit tcp any eq ftp-data host x.x.x.x gt 1024</P><P></P><P></P><P></P> Mon, 11 Mar 2019 11:24:55 GMT https://community.cisco.com/t5/network-security/acl-on-2851-router/m-p/823478#M973647 bsudol79p 2019-03-11T11:24:55Z https://community.cisco.com/t5/network-security/acl-on-2851-router/m-p/823479#M973648 <HTML><HEAD></HEAD><BODY><P>do you have the acl applied in the right direction ?</P></BODY></HTML> Fri, 12 Oct 2007 19:41:26 GMT https://community.cisco.com/t5/network-security/acl-on-2851-router/m-p/823479#M973648 whisperwind 2007-10-12T19:41:26Z https://community.cisco.com/t5/network-security/acl-on-2851-router/m-p/823480#M973649 <HTML><HEAD></HEAD><BODY><P>Yes the ACL is applied correctly because the FTP works when it is in active mode, but it doesn't work when it is in the passive mode.</P></BODY></HTML> Fri, 12 Oct 2007 20:17:56 GMT https://community.cisco.com/t5/network-security/acl-on-2851-router/m-p/823480#M973649 bsudol79p 2007-10-12T20:17:56Z https://community.cisco.com/t5/network-security/acl-on-2851-router/m-p/823481#M973650 <HTML><HEAD></HEAD><BODY><P>Your access-list is wrong. Here is the way things work with Active:</P><P>control channel</P><P> client:&gt;1024 --&gt; server:21</P><P>data channel</P><P> server:20 --&gt; client:&gt;1024</P><P></P><P>The active scenerio you have covered... </P><P></P><P>But passive works like this:</P><P>control channel</P><P> client:&gt;1024 --&gt; server:21</P><P>data channel</P><P> client:&gt;1024 --&gt; server:&gt;1024</P><P></P><P>The data channel is negotiated... no port port 20 (if i remember correctly). To make this work for both active and passive, your acl has to read:</P><P></P><P>access-list 112 permit tcp any host x.x.x.x eq ftp </P><P>access-list 112 remark FOR ACTIVE</P><P>access-list 112 permit tcp any eq ftp-data host x.x.x.x gt 1024 </P><P>access-list 112 remark FOR PASSIVE</P><P>access-list 112 permit tcp any gt 1024 host x.x.x.x gt 1024 </P><P></P><P></P></BODY></HTML> Fri, 12 Oct 2007 21:56:10 GMT https://community.cisco.com/t5/network-security/acl-on-2851-router/m-p/823481#M973650 saro 2007-10-12T21:56:10Z https://community.cisco.com/t5/network-security/acl-on-2851-router/m-p/823482#M973651 <HTML><HEAD></HEAD><BODY><P>It works, Thanks for all the help!!!!!!!!!!</P></BODY></HTML> Mon, 15 Oct 2007 14:30:20 GMT https://community.cisco.com/t5/network-security/acl-on-2851-router/m-p/823482#M973651 bsudol79p 2007-10-15T14:30:20Z