Re: set up ACL for allow FTP connection

hoquocthienanh · ‎09-16-2023

I have a network diagram as above and was asked to implement the ACL to allow FTP traffic between LAN2 and LAN4, I config my ACL like below:

access-list 111 permit tcp 10.10.2.0 0.0.0.255 10.10.4.0 0.0.0.255 eq ftp

access-list 111 permit tcp 10.10.2.0 0.0.0.255 eq 20 10.10.4.0 0.0.0.255

interface f0/1

ip access-group 111 in

After that, I went to CMD of a computer in LAN2 then type in: FTP 10.10.4.0 and get the response: Error opening 10.10.4.0 (timed out)

I want to ask if my ACL configuration is right and why did I get the timed out response above. Thank you!

M02@rt37 · ‎09-16-2023

To successfully establish an FTP session, the active FTP mode of operation uses control port 21 and the data port of 20.

Also, perhaps your are in Passive mode then serveur answer with the higher port and not port 20.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

hoquocthienanh · ‎09-16-2023

I also tried with another config:

access-list 112 permit tcp 10.10.2.0 0.0.0.255 10.10.4.0 0.0.0.255 eq ftp

access-list 112 permit tcp 10.10.2.0 0.0.0.255 10.10.4.0 0.0.0.255 gt 1023

But still got the same result

MHM Cisco World · ‎09-16-2023

Add log to acl and add deny any any log to your acl

Let see what happened with acl

M02@rt37 · ‎09-16-2023

Are you sure about that @hoquocthienanh ?

access-list 112 permit tcp 10.10.2.0 0.0.0.255 10.10.4.0 0.0.0.255 gt 1023

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

M02@rt37 · ‎09-16-2023

Refer here also

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

Blue_Bird · ‎09-16-2023

I tried the same scenario and configuations in Cisco Packet tracer

Its working fine...!!

I think....it's because some limitations with gns3

Thanks

Gopinath