03-04-2005 12:25 PM - edited 03-09-2019 10:32 AM
I want to control outbound ftp on the inside interface of my firewall.
So, I submitted the following command:
access-list 111 permit tcp host <host ip> any eq ftp
access-list 111 deny tcp any any eq ftp
access-group 111 in interface inside
However, I can still ftp from any workstation. My goal is to control bandwith usage by allowing one or two workstations ftp access.
What commands am I missing?
Solved! Go to Solution.
03-07-2005 10:24 AM
Yes that is the problem, order matters.
Change the access-list to that:
access-list 111 permit tcp host
access-list 111 deny tcp any any eq smtp
access-list 111 permit tcp host
access-list 111 permit tcp host
access-list 111 deny tcp any any eq ftp
access-list 111 permit ip any any
access-group 111 in interface inside
Other thing (access-list 111 permit tcp host
sincerely
Patrick
03-04-2005 03:21 PM
This part of the access-list is fine. It basicly allows a few hosts to ftp.
Dont forget that at the end of the access-list follows a deny any any (not shows in the config) so all other traffic will be blocked on the inside interface.
What about hitcounts when you do a:
show access-list 111
Is Access-group activated ?
show access-group
sincerely
Patrick
03-06-2005 05:54 PM
I'm not sure if its worth mentioning here, but noe of this takes affect until you write it to memory on a PIX. You will stop ALL traffic except this one host being able to do FTP when you implement this access list on the inside interface. You need to include a permit ip any any at the end to get around the restrictions you have put in place for all other traffic.
The PIX allows all traffic outbound by default, but once you add an access-list you must allow all traffic that you want to pass.
03-07-2005 06:34 AM
Yes, that is worth mentioning. My access-list commands are as follows for inside interface:
access-list 111 permit tcp host
access-list 111 deny tcp any any eq smtp
access-list 111 permit ip any any
access-list 111 permit tcp host
access-list 111 permit tcp host
access-list 111 deny tcp any any eq ftp
access-group 111 in interface inside
I did write to memory and clear xlate. I did include the command "access-list 111 permit ip any any", but is the order in which it is placed amongst other ACLs on the inside interface matter?
Thx, Andrew
03-07-2005 06:27 AM
These are access-list commands on the inside interface:
access-list 111 permit tcp host
access-list 111 deny tcp any any eq smtp
access-list 111 permit ip any any
access-list 111 permit tcp host
access-list 111 permit tcp host
access-list 111 deny tcp any any eq ftp
access-group 111 in interface inside
Yes, I have the access-group activated. I did write to memory and clear xlate.
Thx, Andrew
03-07-2005 10:24 AM
Yes that is the problem, order matters.
Change the access-list to that:
access-list 111 permit tcp host
access-list 111 deny tcp any any eq smtp
access-list 111 permit tcp host
access-list 111 permit tcp host
access-list 111 deny tcp any any eq ftp
access-list 111 permit ip any any
access-group 111 in interface inside
Other thing (access-list 111 permit tcp host
sincerely
Patrick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide