Solved: ACL issue

svaishya20 · ‎11-03-2011

Hi,

I have to add acl to allow acces for FTp connection from outside.

from log i can see it tryiing to connect in passive mode to ftp server and on UDP and gt than port 1023 and blocked by router on out bound side.

if i add extended ACL with

permit ip ftp server (ip address) host ip

and apply ACL on WAN outbound side. Will it work ?

Thanks

Saurabh

cadet alain · ‎11-04-2011

Hi,

Yes permitting ip between 2 hosts will let everything pass between them but only if the more specific traffic is not denied by an ACL entry upper in the ACL.Don't forget an ACL is precessed top-down and once there is a match it is not processed anymore.

If a traffic is not encrypted inside a tunnel then you can always capture packets on this interface and analyse them with a packet analyzer like Wireshark.

For capturing traffic on a router you have 2 options:

- RITE which is the oldest one http://www.cisco.com/en/US/docs/ios/12_4t/12_4t11/ht_rawip.html

- EPC http://www.cisco.com/en/US/docs/ios/netmgmt/configuration/guide/nm_troubleshooting_ps6441_TSD_Products_Configuration_Guide_Chapter.html

Regards.

Alain.

Don't forget to rate helpful posts.

View solution in original post

cadet alain · ‎11-03-2011

Hi,

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_example09186a0080100548.shtml#passiveftp

Regards.

Alain.

Don't forget to rate helpful posts.

svaishya20 · ‎11-03-2011

Hi Alain,

I went through it but the problem is when it getting response back from server its using UDP and port grater than 1023.

So, do you think do i need to add ACL to allow UDP and port grater than 1023 or above ACl will fix the issue ?

Thanks

Konstantin Dunaev · ‎11-03-2011

UDP transport in FTP protocol? You need to allow TCP ports 21 and 20 as inbound on your WAN interface

cadet alain · ‎11-03-2011

Hi,

FTP uses TCP but TFTP uses UDP.

For PASV FTP connections the link I posted is ok.

Alain.

Don't forget to rate helpful posts.

svaishya20 · ‎11-03-2011

Hi All,

here is the log from device

f0/1-out acces list applied

denied udp 172.24.32.73(46973) -> 10.170.70.121(33484), 1

so its talking on UDP port and its blocked by ACL.

So, Do i need to add permit udp host 172.24.32.73 host 10.170.70.121 gt 1024

If i will go through Cisco site I am not getting option to configure it.

Hi Kon,

i can not add inbound ACL because on interface outand ACL is already applied.

thanks

cadet alain · ‎11-03-2011

Hi,

Before permitting this flow you would like to know what it is because it has nothing to do with FTP for sure.

Maybe it is a Unix/Cisco traceroute or a TFTP flow.

Do you see the ftp client or server IP address in this flow?

Can you do sh run int f0/1 and sh access-list

Alain.

Don't forget to rate helpful posts.

svaishya20 · ‎11-03-2011

1260 permit tcp 172.24.32.0 0.0.1.255 any eq ftp (9884 matches)

1270 permit tcp 172.24.32.0 0.0.1.255 any eq ftp-data (4336 matches)

3875 permit ip 172.24.32.0 0.0.1.255 host 10.170.70.121 log

interface FastEthernet0/1

bandwidth 50000

ip address 152.181.129.162 255.255.255.252

ip access-group r-sydeqx-vzbmpls-f0/1-out out

duplex full

speed 100

service-policy output VPN-POLICY

Hi Alain,

i am not ablke to paste whole access-list but here FTP is permitted and I have added 3875 line - I must add 3875 before other ACL line because I am permitting specific one than any.

Thanks

Saurabh

cadet alain · ‎11-04-2011

Hi,

the lines you've got here are for Active FTP sessions not PASV and concerning the UDP flow did you find out what it was?

Alain.

Don't forget to rate helpful posts.

svaishya20 · ‎11-04-2011

Hi,

Is their any way that we can find out UDP traffic ?

because user is always saying he is making FTP connection.

Do you think permit ip 172.24.32.0 0.0.1.255 host 10.170.70,12 will open an ftp connection.

As per my knowledge if we allow packet with ip it will work for both tcp ,UDP and for any port.

Am i correct ?

Thanks

Saurabh

cadet alain · ‎11-04-2011

Hi,

Yes permitting ip between 2 hosts will let everything pass between them but only if the more specific traffic is not denied by an ACL entry upper in the ACL.Don't forget an ACL is precessed top-down and once there is a match it is not processed anymore.

If a traffic is not encrypted inside a tunnel then you can always capture packets on this interface and analyse them with a packet analyzer like Wireshark.

For capturing traffic on a router you have 2 options:

- RITE which is the oldest one http://www.cisco.com/en/US/docs/ios/12_4t/12_4t11/ht_rawip.html

- EPC http://www.cisco.com/en/US/docs/ios/netmgmt/configuration/guide/nm_troubleshooting_ps6441_TSD_Products_Configuration_Guide_Chapter.html

Regards.

Alain.

Don't forget to rate helpful posts.

svaishya20 · ‎11-08-2011

thanks Alain

Konstantin Dunaev · ‎11-03-2011

the log doesn't show FTP service, it's something other then FTP.

And you should be able to place IN and OUT access-list on the same interface at the same time, of course it's not really recommended