Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
585
Views
0
Helpful
5
Replies

ACl for permittig ftp traffic

goku-sun
Level 1
Level 1

‎07-15-2004 01:52 AM - edited ‎03-02-2019 05:05 PM

Given Host A with IP address 192.168.1.1/24 and FTP Server X with IP address 192.168.2.1/24 and a router is used to route between them. Now if we are to block all traffic except ftp between the two, can the following ACLs achieve that??

hostname router

int e0

ip access-group 101 in

access-list 101 permit tcp host 192.168.1.1 host 192.168.2.1 eq ftp

I know something is missing in the config and I am not sure how to cater for the "returning" traffic...

Would appreciate any inputs from you experts

TIA

goku sun

Labels:
0 Helpful
5 Replies 5

Georg Pauwen
VIP
VIP

‎07-15-2004 02:59 AM

Hello,

I think your access list has to look as following:

access-list 101 permit tcp host 192.168.1.1 host 192.168.2.1 eq ftp

access-list 101 permit tcp host 192.168.1.1 eq ftp host 192.168.2.1

Can you try this and see if it works ?

Regards,

GP

0 Helpful

goku-sun
Level 1
Level 1
In response to Georg Pauwen

‎07-15-2004 05:29 PM

Thks for your advice GP.

As I don't have the equipment to verify and after some reading I found the port 20(ftp-data) is also opened during an FTP session.

So will it look like something below?

access-list 101 permit tcp host 192.168.1.1 host 192.168.2.1 eq ftp

access-list 101 permit tcp host 192.168.1.1 host 192.168.2.1 eq ftp-data

My another big query is that the above statements only cater for the direction from PC host to FTP server, so do we need to add extra ACLs to cater for some possible traffic for the opposite direction(say those for keeping the session alive)?

Many Thanks,

0 Helpful

mark-obrien
Level 4
Level 4
In response to goku-sun

‎07-16-2004 03:04 PM

That access list is correct.

Since your access list is only applied on the inbound interface, there is nothing restricting traffic in the opposite direction. Therefore, return traffic will be permitted.

Hope this helps.

Mark

0 Helpful

goku-sun
Level 1
Level 1
In response to mark-obrien

‎07-16-2004 05:11 PM

Sorry if that sounds long-winded,, when you are saying "that access is correct", do you mean gpauwen's ACL or mine?

If you think gpauwen's is correct then I don't understand the statement"access-list 101 permit tcp host 192.168.1.1 eq ftp host 192.168.2.1" since the host should not use the ftp port when having FTP session.

Cheers.

0 Helpful

Harold Ritter
Cisco Employee
Cisco Employee
In response to goku-sun

‎07-16-2004 09:17 PM

You ACL is the correct one. You need to open ftp-data (TCP port 20) for your data session to work properly. ftp (port 21) is only for the control session.

Hope this helps,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México
0 Helpful
Customers Also Viewed These Support Documents