Solved: Re: ACL to only allow FTP - assorted questions

lane_frazier · ‎02-04-2006

I have been asked to develop a way to connect a non-company server to one of my closet 5509's that runs several vlans on a couple of floors on my building. The 5509 has no RSM and is connected to larger layer 3 switch...6509.

I have been told that I must make the connection "secure". This server will be doing file xfer (most likely ftp)

Even though we have firewalls...the decision has been made to put the server in is own vlan...say vlan 201 and to hard assign it an ip address of 10.4.201.11

I have been told to develop an ACL that will only allow ftp traffic.

Here's my plan

create vlan 201 on the 6500 and 5509 and assign one 5509 port to it for the server

I'm thinking about the applying the following ACL to my vlan 201 interface on the 6509.

access-list 100 permit tcp 10.4.201.11 0.0.0.0 any eq 20

access-list 100 permit tcp 10.4.201.11 0.0.0.0 any eq 21

access-list 100 deny ip any any

On the 6509 applying the ACL

ip access-group 100 in

I have a few questions

1. If I have ports 20 and 21 allowed does that cover me for ftp traffic?

2.By coding 0.0.0.0 in the acl does that force the ip address of 10.4.201.11 to match or else through it away?

3. As far as I know the deny any any will kill off anything else

4. I'm concerned about a couple of other things...I'm not sure what acknowledgements need to be sent back and forth if any. I'm also wondering if I also need to apply it outbound as well as inbound?

5. What really worries me is that I've never done an ACL before and don't want to create a situation where I block other traffic on the 2 switches..I guess that's the benefit to doing it in a seperate vlan...so hopefully if anything "unexpected" were to happen when we applied it..it would only affect vlan 201.

6 Final question, If we had to back the acl off for some reason...I hear they are hard to edit once in the config....Is the proper procedure to get rid of ip access-group 100 in 1st and then remove the access list statements second...doing it the other way would only leave the list still in the group.

Thanks in advance for all helpfull suggestions

pkhatri · ‎02-04-2006

Hi Lane,

Here are some answers (in the same order as your questions)

1. The answer is: it depends. FTP can operate in one of two modes: active and passive. Depending on the mode, the ports required will differ. The following URL has a good explanation of the difference between the two;

http://slacksite.com/other/ftp.html

Since the server is within your control, I think the use of active FTP should be just fine. Therefore, the two server ports that you need to open up are tcp/21 and tcp/20.

2. A mask of 0.0.0.0 makes the access-list match on every bit of the specified network address. So what you have got is fine.

3. Access-lists have any implicit "deny all" at the end of them so that last statement is not really necessary but it might be good to leave it in for the sake of readability.

4. Since you want to make this secure, a combination of inbound and outbound filtering is in order.

5. Anything you do on this VLAN will affect this VLAN and this VLAN alone - you do not have to worry about impacting anything else.

6. That is correct. Remove the 'ip access-group' statement from under the interface before you do anything to the actual access-list itself.

Here's how I would set up the ACLs:

access-list 101 permit tcp any gt 1023 host 10.4.201.11 eq 20

access-list 101 permit tcp any gt 1023 host 10.4.201.11 eq 21

access-list 101 deny any any

!

access-list 102 permit tcp host 10.4.201.11 eq 20 any gt 1023

access-list 102 permit tcp host 10.4.201.11 eq 21 any gt 1023

access-list 102 deny any any

!

interface vlan201

ip access-group 102 in

ip access-group 101 out

Now, the above access-lists will only let the server do FTP and not much else. Does your server need to use DNS for any reason ? If so, you will have to punch holes in the above ACLs to allow UDP/53 through.

Hope that helps - pls rate the post if it does.

Paresh

View solution in original post

pkhatri · ‎02-04-2006