cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
667
Views
0
Helpful
3
Replies

FTP not working with ACLs

Franfm
Level 1
Level 1

Good afternoon,

I have 2 VLANS, 100 and 110 working like this:

ip access-list extended vacl100
permit ip any any

 

ip access-list extended vacl110
permit tcp 172.18.110.0 0.0.0.255 172.18.100.0 0.0.0.255 established
permit icmp 172.18.110.0 0.0.0.255 172.18.100.0 0.0.0.255 echo-reply
permit tcp 172.18.110.0 0.0.0.255 host 172.18.100.60 eq cmd
permit udp 172.18.110.0 0.0.0.255 host 172.18.100.60 eq syslog
deny ip 172.18.110.0 0.0.0.255 172.18.100.0 0.0.0.255
permit ip any any

 

interface vlan 100

ip access-group vacl100 in

 

interface vlan 110

ip access-group vacl110 in

 

As you can see, i want traffic working from 100 to 110 only one direction except 110 to 110.60 tcp eq cmd and udp eq syslog

 

My problem is ftp conections from 100 to 110 are not working cause "deny ip 172.18.110.0 0.0.0.255 172.18.100.0 0.0.0.255" line in "vacl110"...

Traffic from 110 to 110.60 is working fine.

 

Any help ?

1 Accepted Solution

Accepted Solutions

Just added one more line in "vacl110":

 

permit tcp 172.18.100.0 0.0.0.255 172.18.110.0 0.0.0.255

 

and ftp worked...

 

See ya.

View solution in original post

3 Replies 3

balaji.bandi
Hall of Fame
Hall of Fame

if you like FTP to work, then you need to add ACL for FTP too.

 

exmple :

 

permit tcp 172.18.110.0 0.0.0.255  172.18.100.0 0.0.0.255 eq 21  (this is for whole network, if you know FTP server IP change with IP here)

 

You need to make a Note for IN and OUT when you using on interface :

 

IN - means traffic coming into the router from that interface.

OUT means traffic leaving the router interface.

 

some example for reference :

https://www.cisco.com/c/en/us/support/docs/ip/access-lists/26448-ACLsamples.html

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Franfm
Level 1
Level 1

I have already solved the problem on my own, thanks for replying.

 

Regards.

Just added one more line in "vacl110":

 

permit tcp 172.18.100.0 0.0.0.255 172.18.110.0 0.0.0.255

 

and ftp worked...

 

See ya.