07-26-2002 11:27 AM - edited 02-20-2020 09:18 PM
ftp only works if i don't use access list or use:
permit ip src_IP1 dst_ip2
or both statements
permit tcp src_ip1dst_ip2
permit udp src_ip1dst_ip2
does not work with the following config:
int fastethernet 0/0
ip address 172.16.53.131 255.255.255.0
ip access-group FastEther_in in
!
ip access-list extended FastEther_in
permit tcp 209.246.0.0 0.0.255.255 any eq ftp
what am i doing wrong?
07-26-2002 12:09 PM
Hi,
Add a "deny ip any any" statement towards the end of the above ACL with log option , and see if you are getting FTP packets denied by the above ACL, as this ACL is being used as inbound FW ACL, it could be because of FTP server location, source IP address(es), FTP port being used etc. etc.
you can try by permitting "eq ftp-data" as well.
Thanks,
Afaq
07-26-2002 12:21 PM
i monitored the ftp session from the client side and saw the correct sorc/dst IP pairs and the server using the ftp port..
(client is webproxy07, server is 207.251.71.198), the client initiates the connection inbount to the router..
Using device /dev/qfe (promiscuous mode)
webproxy07 -> 207.251.71.198 FTP C port=57076
207.251.71.198 -> webproxy07 FTP R port=57076
webproxy07 -> 207.251.71.198 FTP C port=57076
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide