cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Popup Hotspot Using ISR 1000 with WiFi/LTE for Teleworkers and Micro Branchesr
146
Views
5
Helpful
4
Replies
Highlighted
Beginner

Applying an access control list for FTPS session

Hello all, I am having trouble understanding ACLs and the logic of inbound and outbound traffic. I am trying to allow network 192.168.1.0/24 to the FTPS server 192.168.3.0/24 only if an FTPS session originates from the 192.168.1.0/24 LAN. Network 192.168.2.0/24 shouldn't have access to the server. Is this method correct and is there a more efficient way of doing this? 

 

R1

ip access-list extended SEVER-ACCESS

permit tcp 192.168.1.0 0.0.0.255 host 192.168.3.2 eq 990 (control port)

permit tcp 192.168.1.0 0.0.0.255 host 192.168.3.2 eq 989 (data port)

permit tcp 192.168.1.0 0.0.0.255 host 192.168.3.2 eq 20(control port)

permit tcp 192.168.1.0 0.0.0.255 host 192.168.3.2 eq 21 (data port)

permit ip any any

exit

 

interface e0/0

ip access-group SEVER-ACCESS in

 

 

R2

ip access-list extended SEVER-ACCESS

deny tcp 192.168.2.0 0.0.0.255 host 192.168.3.2

permit ip any any

exit

 

interface e0/1

ip access-group SEVER-ACCESS in

4 REPLIES 4
Highlighted
VIP Advisor

Re: Applying an access control list for FTPS session

Hi @ezel14 

 

Try this

 

R4

ip access-list extended SEVER-ACCESS

deny tcp 192.168.2.0 0.0.0.255 host 192.168.3.2 eq 990 (control port)

deny tcp 192.168.2.0 0.0.0.255 host 192.168.3.2 eq 989 (data port)

deny tcp 192.168.2.0 0.0.0.255 host 192.168.3.2 eq 20(control port)

deny tcp 192.168.2.0 0.0.0.255 host 192.168.3.2 eq 21 (data port)

permit ip any any

exit

 

interface e0/1

ip access-group SEVER-ACCESS out

 

Regards

 

Highlighted
VIP Mentor

Re: Applying an access control list for FTPS session

Hello
For standard acl then these only filter of the source address as such these should be place as close to the destination address as possible, on the other hand using an extended acl which can filter on source and destination addressing these can be placed as close to the source as possible, thus it will negate unwarranted router processes and network bandwidth.

In relation your topology I would suggest you apply that extended acl on R2  on e0/0 interface inbound.

Example:
R2
ip access-list extended SEVER-ACCESS
deny tcp 192.168.2.0 0.0.0.255 host 192.168.3.2
permit ip any any

interface e0/1
no ip access-group SEVER-ACCESS in

interface e0/0
ip access-group SEVER-ACCESS in



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future
Highlighted
Beginner

Re: Applying an access control list for FTPS session

Hello Paul, why would it be placed on R2 interface e0/0 inbound?

Highlighted
VIP Mentor

Re: Applying an access control list for FTPS session

Hello


@ezel14 wrote:

Hello Paul, why would it be placed on R2 interface e0/0 inbound?


As i have stated you would want to negate that traffic before it leaves rtr2 so not to traverse the network then only be to dropped by the destination rtr/host, applying the filter ingress r2 e0/0 would negate this traffic even reaching its e1/0 interface.



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future