Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2818
Views
5
Helpful
3
Replies

ACL in Packet Tracer

encol
Level 1
Level 1

‎02-08-2018 03:58 PM - edited ‎02-21-2020 07:19 AM

Hello everyone!

I'm new to this forum, and i'm not sure if this question is in the right place, so sorry for the noob question.

I'm studying ACL, and making some practice with Packet Tracer.

I'm trying to configure a packet filtering router in packet tracer to allow ftp traffic to a ftp server.

I created the following ACL:

Extended IP access list 101
    10 permit tcp any host 10.10.10.128 eq www
    20 permit tcp any host 10.10.10.129 eq ftp
    30 permit icmp any host 10.10.10.129
    40 deny ip any any

(10.10.10.129 is the ip of my ftp server)

 

I can connect to ftp with the command 

ftp 10.10.10.129

 

but neither dir or get command works.

Here is the show access-lists output after a login and a dir:

Extended IP access list 101
    10 permit tcp any host 10.10.10.128 eq www
    20 permit tcp any host 10.10.10.129 eq ftp (13 match(es))
    30 permit icmp any host 10.10.10.129
    40 deny ip any any (12 match(es))

Where i'm wrong?

I attach my pkt file

Thanks in advance

 

Labels:
test.tar
0 Helpful
3 Replies 3

Dennis Mink
VIP Alumni
VIP Alumni

‎02-08-2018 04:10 PM

this is cos the guys that designed FTP, didn't fully undertsand TCP IP:

 

http://slacksite.com/other/ftp.html

 

depending on passive v. active FTP not just port 21 is being used. Firewall can do ftp inspect and will open other port within FTP dynamically. ACLs dont do this.

 

log the deny any rule at the end and see what port is is blocking, that should give you some insight

Please remember to rate useful posts, by clicking on the stars below.

encol
Level 1
Level 1
In response to Dennis Mink

‎02-08-2018 04:26 PM

@Dennis Mink wrote:

log the deny any rule at the end and see what port is is blocking, that should give you some insight

i've tried to use an 

deny ip any any log

rule but PT gives me a

% Invalid input detected at '^' marker.

error pointing to the log word.

Maybe my PT version (7.1.0.0222) does not support logging or i'm using a wrong syntax?

 

0 Helpful

encol
Level 1
Level 1
In response to encol

‎02-09-2018 10:45 AM

Ok, i found a workaround.

I added a 

permit tcp any host 10.10.10.129 gt 1023

rule and now FTP works fine.

Is there any better solution?

Is there any security issues in opening ports greater than 1023?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card