Solved: FTP not working with ACLs

Franfm · ‎02-15-2022

Good afternoon,

I have 2 VLANS, 100 and 110 working like this:

ip access-list extended vacl100
permit ip any any

ip access-list extended vacl110
permit tcp 172.18.110.0 0.0.0.255 172.18.100.0 0.0.0.255 established
permit icmp 172.18.110.0 0.0.0.255 172.18.100.0 0.0.0.255 echo-reply
permit tcp 172.18.110.0 0.0.0.255 host 172.18.100.60 eq cmd
permit udp 172.18.110.0 0.0.0.255 host 172.18.100.60 eq syslog
deny ip 172.18.110.0 0.0.0.255 172.18.100.0 0.0.0.255
permit ip any any

interface vlan 100

ip access-group vacl100 in

interface vlan 110

ip access-group vacl110 in

As you can see, i want traffic working from 100 to 110 only one direction except 110 to 110.60 tcp eq cmd and udp eq syslog

My problem is ftp conections from 100 to 110 are not working cause "deny ip 172.18.110.0 0.0.0.255 172.18.100.0 0.0.0.255" line in "vacl110"...

Traffic from 110 to 110.60 is working fine.

Any help ?

Franfm · ‎02-15-2022

Just added one more line in "vacl110":

permit tcp 172.18.100.0 0.0.0.255 172.18.110.0 0.0.0.255

and ftp worked...

See ya.

View solution in original post

balaji.bandi · ‎02-15-2022

if you like FTP to work, then you need to add ACL for FTP too.

exmple :

permit tcp 172.18.110.0 0.0.0.255 172.18.100.0 0.0.0.255 eq 21 (this is for whole network, if you know FTP server IP change with IP here)

You need to make a Note for IN and OUT when you using on interface :

IN - means traffic coming into the router from that interface.

OUT means traffic leaving the router interface.

some example for reference :

https://www.cisco.com/c/en/us/support/docs/ip/access-lists/26448-ACLsamples.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Franfm · ‎02-15-2022

I have already solved the problem on my own, thanks for replying.

Regards.

Franfm · ‎02-15-2022

Just added one more line in "vacl110":

permit tcp 172.18.100.0 0.0.0.255 172.18.110.0 0.0.0.255

and ftp worked...

See ya.