Showing results for 
Search instead for 
Did you mean: 

Can't get FTP ACL to work


Hi, I am trying to configure an extended named ACL for this Router in packet-trace for an assignment and nothing I do seems to work. I am trying to get just one network to have access to FTP. The current commands I have are:


ip access-list extended Web

permit tcp host eq 20

permit tcp host eq 21

Then I apply it to an interface:

int g0/0

ip access-group Web out

Nothing happens, when I got into simulation mode its like it doesn't even create an FTP packet, what am I missing? Any help is greatly appreciated.

6 Replies 6




Can you expand if the FTP work without an ACL?

If it's working properly without the ACL so apparently the ACL is indeed the problem, then you can try to work according to the answer at the following link:

Richard Burts
Hall of Fame Community Legend Hall of Fame Community Legend
Hall of Fame Community Legend

The question whether FTP works without the ACL is a very good question. Are you successful in using FTP with

It would help us provide better suggestions if we knew more about your environment. What is int g0/0?

I would also ask if there is more to the ACL than the 2 lines that you show? If the ACL has just those lines and is applied to your outbound interface then Internet access is not going to work.



Thanks for the responses, so FTP does work without the ACL. I have tried making it inbound instead of outbound I get the same result. There are  more lines on the ACL within the assignment, but this one specifically I didn't know how to do so I just put this one on first with no other lines to see if it worked. Int g0/0 is referring to the interface G0/0 which is me applying the ACL to that interface for outbound traffic. I have also attached the packet tracer zip for reference, the ACL is on Router BltRtr2 and is applied to Interface G0/0. The goal is to allow only the network access to FTP. Thank you for all the help.


Edit: The username and password for the FTP server are both cisco

Edit 2: The example FTP server I am trying to access is, when I FTP to it works, but not to even after re-writing the ACL to the following:

permit tcp any eq 20

permit tcp any eq 21



at first glance, your access list is missing the '8' in the second octet:


ip access-list extended FTP
permit tcp host eq 20
permit tcp host eq ftp


Try and change that to:


ip access-list extended FTP
permit tcp host eq 20
permit tcp host eq ftp

Georg Pauwen
VIP Master VIP Master
VIP Master



at first glance I would say you have to apply the access list inbound, as the network is on the inside ?


Either way, post the zipped Packet Tracer project (.pkt) file...

paul driver
VIP Expert VIP Expert
VIP Expert

As this is a public facing interface and you want to open up ftp suggest you apply Context Based ACL to accommodate initiation of ftp and bootpc(for dhcp) externally
but deny everything else externally from initiating a connection.


access-list 100 permit tcp any any eq ftp
access-list 100 permit  udp any any eq bootpc
access-list 100 deny ip any any
access-list 101 permit ip any any


ip inspect name cbac FW inspect tcp
ip inspect name cbac FW inspect udp
ip inspect name cbac FW inspect icmp

intg gig0/0
ip inspect cbac out
ip access-group 100 in
ip access-group 101 out

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers