Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
607
Views
5
Helpful
4
Replies

Applying an access control list for FTPS session

ezel14
Level 1
Level 1

‎04-01-2020 05:48 AM

Hello all, I am having trouble understanding ACLs and the logic of inbound and outbound traffic. I am trying to allow network 192.168.1.0/24 to the FTPS server 192.168.3.0/24 only if an FTPS session originates from the 192.168.1.0/24 LAN. Network 192.168.2.0/24 shouldn't have access to the server. Is this method correct and is there a more efficient way of doing this? 

 

R1

ip access-list extended SEVER-ACCESS

permit tcp 192.168.1.0 0.0.0.255 host 192.168.3.2 eq 990 (control port)

permit tcp 192.168.1.0 0.0.0.255 host 192.168.3.2 eq 989 (data port)

permit tcp 192.168.1.0 0.0.0.255 host 192.168.3.2 eq 20(control port)

permit tcp 192.168.1.0 0.0.0.255 host 192.168.3.2 eq 21 (data port)

permit ip any any

exit

 

interface e0/0

ip access-group SEVER-ACCESS in

 

 

R2

ip access-list extended SEVER-ACCESS

deny tcp 192.168.2.0 0.0.0.255 host 192.168.3.2

permit ip any any

exit

 

interface e0/1

ip access-group SEVER-ACCESS in

Labels:
Preview file
66 KB
0 Helpful
4 Replies 4

luis_cordova
VIP Alumni
VIP Alumni

‎04-01-2020 06:41 AM - edited ‎04-01-2020 06:43 AM

Hi @ezel14 

 

Try this

 

R4

ip access-list extended SEVER-ACCESS

deny tcp 192.168.2.0 0.0.0.255 host 192.168.3.2 eq 990 (control port)

deny tcp 192.168.2.0 0.0.0.255 host 192.168.3.2 eq 989 (data port)

deny tcp 192.168.2.0 0.0.0.255 host 192.168.3.2 eq 20(control port)

deny tcp 192.168.2.0 0.0.0.255 host 192.168.3.2 eq 21 (data port)

permit ip any any

exit

 

interface e0/1

ip access-group SEVER-ACCESS out

 

Regards

 

0 Helpful

paul driver
VIP
VIP

‎04-01-2020 07:17 AM - edited ‎04-01-2020 07:19 AM

Hello
For standard acl then these only filter of the source address as such these should be place as close to the destination address as possible, on the other hand using an extended acl which can filter on source and destination addressing these can be placed as close to the source as possible, thus it will negate unwarranted router processes and network bandwidth.

In relation your topology I would suggest you apply that extended acl on R2  on e0/0 interface inbound.

Example:
R2
ip access-list extended SEVER-ACCESS
deny tcp 192.168.2.0 0.0.0.255 host 192.168.3.2
permit ip any any

interface e0/1
no ip access-group SEVER-ACCESS in

interface e0/0
ip access-group SEVER-ACCESS in


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

ezel14
Level 1
Level 1
In response to paul driver

‎04-01-2020 09:00 AM

Hello Paul, why would it be placed on R2 interface e0/0 inbound?

0 Helpful

paul driver
VIP
VIP
In response to ezel14

‎04-01-2020 09:46 AM - edited ‎04-01-2020 10:47 AM

Hello

@ezel14 wrote:

Hello Paul, why would it be placed on R2 interface e0/0 inbound?

As i have stated you would want to negate that traffic before it leaves rtr2 so not to traverse the network then only be to dropped by the destination rtr/host, applying the filter ingress r2 e0/0 would negate this traffic even reaching its e1/0 interface.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card