cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
607
Views
5
Helpful
4
Replies

Applying an access control list for FTPS session

ezel14
Level 1
Level 1

Hello all, I am having trouble understanding ACLs and the logic of inbound and outbound traffic. I am trying to allow network 192.168.1.0/24 to the FTPS server 192.168.3.0/24 only if an FTPS session originates from the 192.168.1.0/24 LAN. Network 192.168.2.0/24 shouldn't have access to the server. Is this method correct and is there a more efficient way of doing this? 

 

R1

ip access-list extended SEVER-ACCESS

permit tcp 192.168.1.0 0.0.0.255 host 192.168.3.2 eq 990 (control port)

permit tcp 192.168.1.0 0.0.0.255 host 192.168.3.2 eq 989 (data port)

permit tcp 192.168.1.0 0.0.0.255 host 192.168.3.2 eq 20(control port)

permit tcp 192.168.1.0 0.0.0.255 host 192.168.3.2 eq 21 (data port)

permit ip any any

exit

 

interface e0/0

ip access-group SEVER-ACCESS in

 

 

R2

ip access-list extended SEVER-ACCESS

deny tcp 192.168.2.0 0.0.0.255 host 192.168.3.2

permit ip any any

exit

 

interface e0/1

ip access-group SEVER-ACCESS in

4 Replies 4

luis_cordova
VIP Alumni
VIP Alumni

Hi @ezel14 

 

Try this

 

R4

ip access-list extended SEVER-ACCESS

deny tcp 192.168.2.0 0.0.0.255 host 192.168.3.2 eq 990 (control port)

deny tcp 192.168.2.0 0.0.0.255 host 192.168.3.2 eq 989 (data port)

deny tcp 192.168.2.0 0.0.0.255 host 192.168.3.2 eq 20(control port)

deny tcp 192.168.2.0 0.0.0.255 host 192.168.3.2 eq 21 (data port)

permit ip any any

exit

 

interface e0/1

ip access-group SEVER-ACCESS out

 

Regards

 

Hello
For standard acl then these only filter of the source address as such these should be place as close to the destination address as possible, on the other hand using an extended acl which can filter on source and destination addressing these can be placed as close to the source as possible, thus it will negate unwarranted router processes and network bandwidth.

In relation your topology I would suggest you apply that extended acl on R2  on e0/0 interface inbound.

Example:
R2
ip access-list extended SEVER-ACCESS
deny tcp 192.168.2.0 0.0.0.255 host 192.168.3.2
permit ip any any

interface e0/1
no ip access-group SEVER-ACCESS in

interface e0/0
ip access-group SEVER-ACCESS in


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Hello Paul, why would it be placed on R2 interface e0/0 inbound?

Hello


@ezel14 wrote:

Hello Paul, why would it be placed on R2 interface e0/0 inbound?


As i have stated you would want to negate that traffic before it leaves rtr2 so not to traverse the network then only be to dropped by the destination rtr/host, applying the filter ingress r2 e0/0 would negate this traffic even reaching its e1/0 interface.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
Review Cisco Networking for a $25 gift card