cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
598
Views
0
Helpful
1
Replies

About ACL basic question

cwhlaw2009
Level 1
Level 1

I have some ACL question. I don't clear understand about source address and destination address in following cases.

Case 1

My WAN1 IP is 1.1.1.1, my FTP Server is 192.168.1.2 port 23

If I access FTP from internet use ftp://1.1.1.1:23, then what is my ACL source IP and destination IP ? Source is 1.1.1.1 ? destination is 192.168.1.2 ? or any ?

Internet ------------(Outside 1.1.1.1) ASA (Inside 192.168.1.1) ---------- FTP (192.168.1.2)

Case 2

My WAN1 still is 1.1.1.1 and FTP is 192.168.1.2 port 23

If I access FTP from internet use ftp://1.1.1.1:8023, how about the ACL source address and destination IP?

I tested in two case source = any and destination = any is OK.

But I confused. I always think  Source address is WAN1 IP. 

1 Accepted Solution

Accepted Solutions

johnd2310
Level 8
Level 8

Hi,

You are accessing the FTP server from the Internet and most likely you will not know what ip address you will be source. In this case, your source ip address will be any. If you know the ip address on the Internet that will access your FTP server, then you will specify it as the source. You access list will be as follows:

access-list 100 extended permit  tcp any host 1.1.1.1 eq 21

access-list 100 extended permit  tcp any host 1.1.1.1 eq 20

or

access-list 100 extended permit tcp x.x.x.x y.y.y.y host 1.1.1.1 eq 21

access-list 100 extended permit tcp x.x.x.x y.y.y.y host 1.1.1.1 eq 20

( if you know network or host that will access ftp)

You also have to ensure you have configured static NAT and application inspection for your FTP server

Thanks

John

**Please rate posts you find helpful**

View solution in original post

1 Reply 1

johnd2310
Level 8
Level 8

Hi,

You are accessing the FTP server from the Internet and most likely you will not know what ip address you will be source. In this case, your source ip address will be any. If you know the ip address on the Internet that will access your FTP server, then you will specify it as the source. You access list will be as follows:

access-list 100 extended permit  tcp any host 1.1.1.1 eq 21

access-list 100 extended permit  tcp any host 1.1.1.1 eq 20

or

access-list 100 extended permit tcp x.x.x.x y.y.y.y host 1.1.1.1 eq 21

access-list 100 extended permit tcp x.x.x.x y.y.y.y host 1.1.1.1 eq 20

( if you know network or host that will access ftp)

You also have to ensure you have configured static NAT and application inspection for your FTP server

Thanks

John

**Please rate posts you find helpful**