Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
628
Views
0
Helpful
3
Replies

passive ftp not working on 2811

palvin_225
Level 1
Level 1

‎05-30-2006 06:34 AM - edited ‎03-09-2019 03:04 PM

Hello all,

We recently replaced a pix 501 with a cisco 2811 in our head office. We have created and applied access lists and everything is working fine now except our passive ftp. Some of our clients who try to access our as400 via ftp can connect but cannot copy or view any listings in the directory. We are using the following lines in our access-list to control incoming ftp access.

access-list 111 permit tcp any gt 1023 host xxx.xx.xx.xxx eq ftp

access-list 111 permit tcp any gt 1023 host xxx.xx.xx.xxx gt 1023 established log

Please suggest.

Thanks in advance.

Labels:
0 Helpful
3 Replies 3

jkell
Level 1
Level 1

‎05-30-2006 12:02 PM

For "passive" FTP, the connections will NOT be established as the client connects back to the server, source and destination ports > 1023. You cannot key these connections with "established".

Most FTP servers will allow you to specify a range of ports to use for incoming passive data connections. In vsftpd for example you can set "pasv_min_port" and "pasv_max_port" in /etc/vsftpd/vsftpd.conf to specify a range of ports to offer for passive data connections. You can then alter your second access-list permit to specify:

permit tcp any gt 1023 host a.b.c.d range min max

where "min" and "max" are the ports specified above.

If your server doesn't allow you to set the data port range, you will have to permit any gt 1023 (which is a large, gaping hole).

0 Helpful

victory_cm
Level 1
Level 1

‎06-04-2006 10:49 PM

Hi,

Hope FTP works with port 21 for authentication and port 20 for data transfer.

Hence please add the following ACL

access-list 111 permit tcp any gt 1023 host xxx.xx.xx.xxx eq ftp-data(port 20) and try.

Thanks...

0 Helpful

palvin_225
Level 1
Level 1
In response to victory_cm

‎06-05-2006 04:07 AM

Hi,

We got our passive FTP working. We had to add CBAC in order for passive FTP to work on IOS version equipped with security. We added the following lines to our config:

ip inspect audit-trail

ip inspect name FTPRULENAME ftp alert on audit-trail on timeout 3600

Then in our access list on our external interface, we added these lines

access-list 101 permit tcp any gt 1023 host xxx.xx.xxx.xx eq ftp

access-list 101 permit tcp any gt 1023 host xxx.xx.xxx.xx gt 1023 established log

Now our passive FTP is working no problems.

0 Helpful
Customers Also Viewed These Support Documents