04-07-2005 11:33 AM - edited 03-03-2019 09:14 AM
We have about 200 remote sites all with 2610's and 384K - 512K FR connections. We're trying implement effective egress filtering using ACL's and NBAR, and have run into a small snag - PASV ftp.
We "need" PASV mode ftp for a number of apps. Supporting ACTV ftp with RACL's is easy, but for some reason I'm struggling with supporting PASV ftp.
The remote routers have only (2) IF's - e0/0 for the remote LAN, and s0/0 for the FR connection. My preference is to apply the egress ACL "in" on the e0/0 interface. I am open to moving this to "out" of s0/0 if necessary.
Any suggestions?
Gary
04-07-2005 03:22 PM
Hi,
Consider using CBAC if the routers have Firewall feature set. Enabling only ftp inspection may minimize the amount of the router's cpu power consumed by CBAC. I think CBAC inspection supports passive ftp:
http://www.cisco.com/warp/public/110/iosfwfaq.html#qa5
HTH,
Mustafa
04-08-2005 07:10 AM
No CBAC, just have plain old IP feature set.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide