Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
735
Views
0
Helpful
5
Replies

ACL allowing internal clients access to outside FTP data on cisco 3750

Go to solution
iosepmonica
Level 1
Level 1

‎04-05-2013 07:38 AM - edited ‎03-11-2019 06:24 PM

Hi,

I have this ACL on a cisco 3750 for allowing internal clients to access outside  FTP  servers, and I am concerned about the security hole that the last statement it might create:

access-list 111 permit tcp 10.100.111.0 0.0.0.255 gt 1023 any eq ftp

access-list 111 permit tcp 10.100.111.0 0.0.0.255 gt 1023 any eq ftp-data

access-list 111 permit tcp 10.100.111.0 0.0.0.255 gt 1023 any gt 1023

This is the only way I could get internal clients to access FTP data outside  the network/Internet.

The access-list is applied inbound on the VLAN interface on the 3750.

Will this expose clients to a security risk?

Thank you.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to iosepmonica

‎04-05-2013 12:39 PM

Hello,

Yes, so that would be the only way to make it happen as you will need some sort of inspection in order to open the right pinholes for the outgoing Data channel,

but if everything for out to in is being denied you should be good to go

Regards,

Remember to rate all of the helpful posts

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎04-05-2013 11:19 AM

Hello,

So this is applied on the internal interface right??

What FTP mode are you running, if it's passive where the client innitiates both connectionns Control and data channel then you must have it like that... I mean it will not expose as this is traffic from your clients to the outside, not from outside to inside.. You follow me

Why don't you restrict traffic on the interface that is next to the outside world?

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
iosepmonica
Level 1
Level 1
In response to Julio Carvajal

‎04-05-2013 11:43 AM

Correct, this is applied on the internal interface, and it is for internal clients accessing FTP servers on the Internet mostly.

In a typical environment, I would do this on a firewall, but in this particular case, this client wants it on the internal L3 switch. This switch has an interface that connects to a gateway for Internet access.

No connections initiated from outside to the internal clients are allowed at all, and the traffic going to the Internet only includes FTP, NTP and DNS.

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to iosepmonica

‎04-05-2013 12:39 PM

Hello,

Yes, so that would be the only way to make it happen as you will need some sort of inspection in order to open the right pinholes for the outgoing Data channel,

but if everything for out to in is being denied you should be good to go

Regards,

Remember to rate all of the helpful posts

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
iosepmonica
Level 1
Level 1
In response to Julio Carvajal

‎04-05-2013 12:51 PM

Thank you very much!

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to iosepmonica

‎04-05-2013 12:59 PM

Hello,

Hey man my pleasure,

Remember to rate all of the helpful posts and can you mark the question as answered?

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card