- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-03-2011 01:08 AM - edited 03-04-2019 02:08 PM
Hi,
I have to add acl to allow acces for FTp connection from outside.
from log i can see it tryiing to connect in passive mode to ftp server and on UDP and gt than port 1023 and blocked by router on out bound side.
if i add extended ACL with
permit ip ftp server (ip address) host ip
and apply ACL on WAN outbound side. Will it work ?
Thanks
Saurabh
Solved! Go to Solution.
- Labels:
-
Routing Protocols
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-04-2011 05:55 AM
Hi,
Yes permitting ip between 2 hosts will let everything pass between them but only if the more specific traffic is not denied by an ACL entry upper in the ACL.Don't forget an ACL is precessed top-down and once there is a match it is not processed anymore.
If a traffic is not encrypted inside a tunnel then you can always capture packets on this interface and analyse them with a packet analyzer like Wireshark.
For capturing traffic on a router you have 2 options:
- RITE which is the oldest one http://www.cisco.com/en/US/docs/ios/12_4t/12_4t11/ht_rawip.html
Regards.
Alain.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-03-2011 01:43 AM
Hi,
Regards.
Alain.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-03-2011 03:25 AM
Hi Alain,
I went through it but the problem is when it getting response back from server its using UDP and port grater than 1023.
So, do you think do i need to add ACL to allow UDP and port grater than 1023 or above ACl will fix the issue ?
Thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-03-2011 04:01 AM
UDP transport in FTP protocol? You need to allow TCP ports 21 and 20 as inbound on your WAN interface
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-03-2011 04:06 AM
Hi,
FTP uses TCP but TFTP uses UDP.
For PASV FTP connections the link I posted is ok.
Alain.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-03-2011 04:39 AM
Hi All,
here is the log from device
f0/1-out acces list applied
denied udp 172.24.32.73(46973) -> 10.170.70.121(33484), 1
so its talking on UDP port and its blocked by ACL.
So, Do i need to add permit udp host 172.24.32.73 host 10.170.70.121 gt 1024
If i will go through Cisco site I am not getting option to configure it.
Hi Kon,
i can not add inbound ACL because on interface outand ACL is already applied.
thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-03-2011 05:31 AM
Hi,
Before permitting this flow you would like to know what it is because it has nothing to do with FTP for sure.
Maybe it is a Unix/Cisco traceroute or a TFTP flow.
Do you see the ftp client or server IP address in this flow?
Can you do sh run int f0/1 and sh access-list
Alain.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-03-2011 07:08 PM
1260 permit tcp 172.24.32.0 0.0.1.255 any eq ftp (9884 matches)
1270 permit tcp 172.24.32.0 0.0.1.255 any eq ftp-data (4336 matches)
3875 permit ip 172.24.32.0 0.0.1.255 host 10.170.70.121 log
interface FastEthernet0/1
bandwidth 50000
ip address 152.181.129.162 255.255.255.252
ip access-group r-sydeqx-vzbmpls-f0/1-out out
duplex full
speed 100
service-policy output VPN-POLICY
Hi Alain,
i am not ablke to paste whole access-list but here FTP is permitted and I have added 3875 line - I must add 3875 before other ACL line because I am permitting specific one than any.
Thanks
Saurabh
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-04-2011 01:05 AM
Hi,
the lines you've got here are for Active FTP sessions not PASV and concerning the UDP flow did you find out what it was?
Alain.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-04-2011 05:42 AM
Hi,
Is their any way that we can find out UDP traffic ?
because user is always saying he is making FTP connection.
Do you think permit ip 172.24.32.0 0.0.1.255 host 10.170.70,12 will open an ftp connection.
As per my knowledge if we allow packet with ip it will work for both tcp ,UDP and for any port.
Am i correct ?
Thanks
Saurabh
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-04-2011 05:55 AM
Hi,
Yes permitting ip between 2 hosts will let everything pass between them but only if the more specific traffic is not denied by an ACL entry upper in the ACL.Don't forget an ACL is precessed top-down and once there is a match it is not processed anymore.
If a traffic is not encrypted inside a tunnel then you can always capture packets on this interface and analyse them with a packet analyzer like Wireshark.
For capturing traffic on a router you have 2 options:
- RITE which is the oldest one http://www.cisco.com/en/US/docs/ios/12_4t/12_4t11/ht_rawip.html
Regards.
Alain.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-08-2011 03:05 PM
thanks Alain
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-03-2011 05:37 AM
the log doesn't show FTP service, it's something other then FTP.
And you should be able to place IN and OUT access-list on the same interface at the same time, of course it's not really recommended
