Re: FTP through access-list

dkblee · ‎02-21-2005

hi!

What i'm trying to do is to enable ftp access from host A(router1) to host B(router 2) and block all other traffic except ftp. All traffic from host B (router 2) to host A (router 1) should be blocked.

I tried the access-list below on router1(outbound):

access-list 101 permit tcp host 192.168.10.10 host 192.168.20.10 eq 21

access-list 101 permit tcp host 192.168.20.10 eq 20 host 192.168.10.10

The result is that i'm able to ftp from host 192.168.10.10 to host 192.168.20.10. I used this access-list with reference from cisco doc on how to configure ACL to permit FTP traffic.

My question is that, what other access-list statement that i should use so that i can allow only ftp from host A to host B and deny all other traffic from host A to B and from host B to A. Thks!

Kevin Dorrell · ‎02-21-2005

The access-list you have made is pretty effective, as all access-lists have an implicit "deny everything else" at the end.

Kevin Dorrell

Luxembourg

mhussein · ‎02-21-2005

Configure an inbound ACL on router1 as follows:

access-list 102 permit tcp host 192.168.20.10 host 192.168.10.10 established

This way, traffic already established by an ftp session (return packets from host B) will be permitted, anything else is denied.

In other words, all traffic from host B to host A will be denied, unless the traffic is in response to an ftp session initiated from A.

HTH

Mustafa

dkblee · ‎02-21-2005

hi!

what's i don't understand is my second access-list statement :

access-list 101 permit tcp host 192.168.10.10 host 192.168.20.10 eq 21

access-list 101 permit tcp host 192.168.20.10 eq 20 host 192.168.10.10

shouldn't that be inbound as the source host is from another router? shouldn't it be incoming packet instead of outgoing packet?

Thks!

mhussein · ‎02-21-2005

I just realized that the ip addresses are flipped on the second line.

The access-list should be:

access-list 101 permit tcp host 192.168.10.10 host 192.168.20.10 eq 21

access-list 101 permit tcp host 192.168.10.10 eq 20 host 192.168.20.10

Although the second line is not needed.

This is the outbound ACL applied to router1.

For inbound traffic, you need to apply another ACL:

access-list 102 permit tcp host 192.168.20.10 host 192.168.10.10 established

This inbound ACL should be applied to the same interface on router1 with:

ip access-group 102 in

If I understand your question correctly, the access-list does not determine what direction traffic is filtered on, but the ip access-group in/out does. However, the order of ip addresses is important: in ACL 101 the source is host A and the destination (outbound with respect to router1) is host B. In ACL 102 the source host B and the destination (inbound with respect to router1) is host A.

Another issue you may run into is Passive-mode ftp which requires additional less secure configuration.

dkblee · ‎02-22-2005

hi!

what do you mean by " Passive-mode ftp which requires additional less secure configuration" ?

what's passive-mode ftp? why does it requires additional less secure configuration? Thks!

dkblee · ‎02-22-2005

What i'm trying to do is to enable ftp access from host A(router1) to host B(router 2) and block all other traffic except ftp. All traffic from host B (router 2) to host A (router 1) should be blocked.

I tried the access-list below on router1(outbound):

access-list 101 permit tcp host 192.168.10.10 host 192.168.20.10 eq 21

access-list 101 permit tcp host 192.168.20.10 eq 20 host 192.168.10.10

i got the access-list sample from cisco website. I don't understand the second statement, can anyone explain? From my understanding, that 2nd acl should be applied inbound and not outbound on router1 right?Thks!

frennzy · ‎02-22-2005

The answer to your question is that FTP consists of two connections. One is a control connection, and the other is a data connection. They run on port 21 and port 20, respectively.