Re: Can't get FTP ACL to work

kshaffer82 · ‎09-30-2021

Hi, I am trying to configure an extended named ACL for this Router in packet-trace for an assignment and nothing I do seems to work. I am trying to get just one network to have access to FTP. The current commands I have are:

ip access-list extended Web

permit tcp 192.168.33.0 0.0.0.255 host 8.8.8.8 eq 20

permit tcp 192.168.33.0 0.0.0.255 host 8.8.8.8 eq 21

Then I apply it to an interface:

int g0/0

ip access-group Web out

Nothing happens, when I got into simulation mode its like it doesn't even create an FTP packet, what am I missing? Any help is greatly appreciated.

pman · ‎09-30-2021

Hi,

Can you expand if the FTP work without an ACL?

If it's working properly without the ACL so apparently the ACL is indeed the problem, then you can try to work according to the answer at the following link:

https://community.cisco.com/t5/other-network-architecture/acl-ftp/m-p/351980

Richard Burts · ‎10-01-2021

The question whether FTP works without the ACL is a very good question. Are you successful in using FTP with 8.8.8.8?

It would help us provide better suggestions if we knew more about your environment. What is int g0/0?

I would also ask if there is more to the ACL than the 2 lines that you show? If the ACL has just those lines and is applied to your outbound interface then Internet access is not going to work.

HTH

Rick

kshaffer82 · ‎10-02-2021

Thanks for the responses, so FTP does work without the ACL. I have tried making it inbound instead of outbound I get the same result. There are more lines on the ACL within the assignment, but this one specifically I didn't know how to do so I just put this one on first with no other lines to see if it worked. Int g0/0 is referring to the interface G0/0 which is me applying the ACL to that interface for outbound traffic. I have also attached the packet tracer zip for reference, the ACL is on Router BltRtr2 and is applied to Interface G0/0. The goal is to allow only the 192.168.33.0/24 network access to FTP. Thank you for all the help.

Edit: The username and password for the FTP server are both cisco

Edit 2: The example FTP server I am trying to access is ftp.cisco.com, when I FTP to 8.8.8.8 it works, but not to ftp.cisco.com even after re-writing the ACL to the following:

permit tcp 192.168.33.0 0.0.0.255 any eq 20

permit tcp 192.168.33.0 0.0.0.255 any eq 21

Georg Pauwen · ‎10-02-2021

Hello,

at first glance, your access list is missing the '8' in the second octet:

ip access-list extended FTP
permit tcp 192.16.33.0 0.0.0.255 host 8.8.8.8 eq 20
permit tcp 192.16.33.0 0.0.0.255 host 8.8.8.8 eq ftp

Try and change that to:

ip access-list extended FTP
permit tcp 192.168.33.0 0.0.0.255 host 8.8.8.8 eq 20
permit tcp 192.168.33.0 0.0.0.255 host 8.8.8.8 eq ftp

Georg Pauwen · ‎10-01-2021

Hello,

at first glance I would say you have to apply the access list inbound, as the 192.168.33.0/24 network is on the inside ?

Either way, post the zipped Packet Tracer project (.pkt) file...

paul driver · ‎10-03-2021

Hello
As this is a public facing interface and you want to open up ftp suggest you apply Context Based ACL to accommodate initiation of ftp and bootpc(for dhcp) externally but deny everything else externally from initiating a connection.

.

access-list 100 permit tcp any any eq ftp
access-list 100 permit udp any any eq bootpc
access-list 100 deny ip any any
access-list 101 permit ip any any

ip inspect name cbac FW inspect tcp
ip inspect name cbac FW inspect udp
ip inspect name cbac FW inspect icmp

intg gig0/0
ip inspect cbac out
ip access-group 100 in
ip access-group 101 out

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul