07-13-2004 12:14 PM - edited 02-20-2020 09:25 PM
I've got a 2621 router that I'd like to do some DMZ style firewalling on.
I want to allow the servers on the inside to make outbound requests, but restrict inbound access to particular ports.
With regular ACL's, I run into problems with FTP and I'm thinking maybe applying reflexive ACL's would be a better approach.
Could somebody post an example of using reflexive ACL's to permit access to an FTP server ? In the topology, fastethernet0/0 faces the internet and fastethernet0/1 faces the servers.
Thanks,
= K
07-13-2004 12:49 PM
Hi,
Reflexive ACL probably is not a good choice for any multi channel protocols. e.g. FTP. It will not open up ports for FTP data. You need to use IOS FW (CBAC)
Besides this, there is not much documentation on Reflexive ACL. Just this link
07-14-2004 05:57 AM
OK, thanks for the tip on CBAC. I've started reading up on it.
Assuming that I do NAT on the inside (fa 0/1) and that an FTP server resides at 10.1.1.1 do you think you could give me a CBAC example for FTP ?
Right now I just have extended ACL's on the outbound interface towards the servers and for the most part things work fine except for FTP.
Thanks for the tips so far,
= K
07-14-2004 10:03 AM
Hi,
I hope this example will help
http://www.cisco.com/warp/customer/793/ios_fw/cbac4.html
thanks
Nadeem
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide