09-16-2023 02:39 AM
I have a network diagram as above and was asked to implement the ACL to allow FTP traffic between LAN2 and LAN4, I config my ACL like below:
access-list 111 permit tcp 10.10.2.0 0.0.0.255 10.10.4.0 0.0.0.255 eq ftp
access-list 111 permit tcp 10.10.2.0 0.0.0.255 eq 20 10.10.4.0 0.0.0.255
interface f0/1
ip access-group 111 in
After that, I went to CMD of a computer in LAN2 then type in: FTP 10.10.4.0 and get the response: Error opening 10.10.4.0 (timed out)
I want to ask if my ACL configuration is right and why did I get the timed out response above. Thank you!
09-16-2023 03:08 AM - edited 09-16-2023 03:13 AM
Hello @hoquocthienanh,
To successfully establish an FTP session, the active FTP mode of operation uses control port 21 and the data port of 20.
Also, perhaps your are in Passive mode then serveur answer with the higher port and not port 20.
09-16-2023 03:14 AM
I also tried with another config:
access-list 112 permit tcp 10.10.2.0 0.0.0.255 10.10.4.0 0.0.0.255 eq ftp
access-list 112 permit tcp 10.10.2.0 0.0.0.255 10.10.4.0 0.0.0.255 gt 1023
But still got the same result
09-16-2023 03:27 AM
Add log to acl and add deny any any log to your acl
Let see what happened with acl
09-16-2023 03:30 AM
Are you sure about that @hoquocthienanh ?
access-list 112 permit tcp 10.10.2.0 0.0.0.255 10.10.4.0 0.0.0.255 gt 1023
09-16-2023 04:04 AM
Refer here also
09-16-2023 04:30 AM
I tried the same scenario and configuations in Cisco Packet tracer
Its working fine...!!
I think....it's because some limitations with gns3
Thanks
Gopinath
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide