07-21-2004 05:48 AM - edited 03-02-2019 05:12 PM
ok, I have been using the pix too much. I need an "in" ACL on the serial1 interface of a 1700 series router. here is what it looks like from top down:
10.0.33.26
|
Router1
s1-192.168.3.2
|
|
s1-192.168.3.1
Router2
|
ftpserver
192.168.2.18
I am ftp'ing from 10.0.33.26 to 192.168.2.18. All ftp is great till I put the Access-list 101 on the S1 interface. It is not a routing issue
Port 21 connects great, but port 20 dies. I can login to the win2k3 ftp server but if I do a LS or dir, no info is being returned. trying to send files is the same.
Here is what I have
access-list 101 permit tcp 192.168.2.0 0.0.0.255 host 10.0.33.26 eq ftp log
access-list 101 permit tcp 192.168.2.0 0.0.0.255 eq ftp-data host 10.0.33.26 gt 1024 log
access-list 101 permit tcp 192.168.2.0 0.0.0.255 host 10.0.33.26 established log
access-list 101 permit tcp 192.168.2.0 0.0.0.255 host 10.0.33.26 gt 1024 established
access-list 101 permit tcp 192.168.2.0 0.0.0.255 eq ftp host 10.0.33.26 gt 1024
=====
I don't see any of the ftp statemets getting hits. Only the tcp estab statement is getting hits.
suggestions please.
thanks
07-21-2004 07:06 AM
You will have to use CBAC. Check for documentation on cbac on cco.
07-21-2004 07:28 AM
I am needing an ACL for a 1700 series router. CBAC doesn't apply here.
07-21-2004 07:58 AM
In active mode FTP the client connects from a random unprivileged port (N > 1024) to the FTP server's command port, port 21. Then, the client starts listening to port N+1 and sends the FTP command PORT N+1 to the FTP server. The server will then connect back to the client's specified data port from its local data port, which is port 20.
From the server-side firewall's standpoint, to support active mode FTP the following communication channels need to be opened:
FTP server's port 21 from anywhere (Client initiates connection)
FTP server's port 21 to ports > 1024 (Server responds to client's control port)
FTP server's port 20 to ports > 1024 (Server initiates data connection to client's data port)
FTP server's port 20 from ports > 1024 (Client sends ACKs to server's data port)
Add a ACL accordingly. You might also want to check by logging the ACL and looking at the ports and ip addresses that are dropped.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide