Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
453
Views
0
Helpful
3
Replies

Need help with router Ftp ACL

dmooreabc
Level 1
Level 1

‎07-21-2004 05:48 AM - edited ‎03-02-2019 05:12 PM

ok, I have been using the pix too much. I need an "in" ACL on the serial1 interface of a 1700 series router. here is what it looks like from top down:

10.0.33.26

|

Router1

s1-192.168.3.2

|

|

s1-192.168.3.1

Router2

|

ftpserver

192.168.2.18

I am ftp'ing from 10.0.33.26 to 192.168.2.18. All ftp is great till I put the Access-list 101 on the S1 interface. It is not a routing issue

Port 21 connects great, but port 20 dies. I can login to the win2k3 ftp server but if I do a LS or dir, no info is being returned. trying to send files is the same.

Here is what I have

access-list 101 permit tcp 192.168.2.0 0.0.0.255 host 10.0.33.26 eq ftp log

access-list 101 permit tcp 192.168.2.0 0.0.0.255 eq ftp-data host 10.0.33.26 gt 1024 log

access-list 101 permit tcp 192.168.2.0 0.0.0.255 host 10.0.33.26 established log

access-list 101 permit tcp 192.168.2.0 0.0.0.255 host 10.0.33.26 gt 1024 established

access-list 101 permit tcp 192.168.2.0 0.0.0.255 eq ftp host 10.0.33.26 gt 1024

=====

I don't see any of the ftp statemets getting hits. Only the tcp estab statement is getting hits.

suggestions please.

thanks

Labels:
0 Helpful
3 Replies 3

thisisshanky
Level 11
Level 11

‎07-21-2004 07:06 AM

You will have to use CBAC. Check for documentation on cbac on cco.

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus
0 Helpful

dmooreabc
Level 1
Level 1
In response to thisisshanky

‎07-21-2004 07:28 AM

I am needing an ACL for a 1700 series router. CBAC doesn't apply here.

0 Helpful

p-t
Level 1
Level 1
In response to dmooreabc

‎07-21-2004 07:58 AM

In active mode FTP the client connects from a random unprivileged port (N > 1024) to the FTP server's command port, port 21. Then, the client starts listening to port N+1 and sends the FTP command PORT N+1 to the FTP server. The server will then connect back to the client's specified data port from its local data port, which is port 20.

From the server-side firewall's standpoint, to support active mode FTP the following communication channels need to be opened:

FTP server's port 21 from anywhere (Client initiates connection)

FTP server's port 21 to ports > 1024 (Server responds to client's control port)

FTP server's port 20 to ports > 1024 (Server initiates data connection to client's data port)

FTP server's port 20 from ports > 1024 (Client sends ACKs to server's data port)

Add a ACL accordingly. You might also want to check by logging the ACL and looking at the ports and ip addresses that are dropped.

0 Helpful
Customers Also Viewed These Support Documents