Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
449
Views
0
Helpful
2
Replies

RACL to permit PASV ftp with egress filtering

ggatten
Level 1
Level 1

‎04-07-2005 11:33 AM - edited ‎03-03-2019 09:14 AM

We have about 200 remote sites all with 2610's and 384K - 512K FR connections. We're trying implement effective egress filtering using ACL's and NBAR, and have run into a small snag - PASV ftp.

We "need" PASV mode ftp for a number of apps. Supporting ACTV ftp with RACL's is easy, but for some reason I'm struggling with supporting PASV ftp.

The remote routers have only (2) IF's - e0/0 for the remote LAN, and s0/0 for the FR connection. My preference is to apply the egress ACL "in" on the e0/0 interface. I am open to moving this to "out" of s0/0 if necessary.

Any suggestions?

Gary

Labels:
0 Helpful
2 Replies 2

mhussein
Level 4
Level 4

‎04-07-2005 03:22 PM

Hi,

Consider using CBAC if the routers have Firewall feature set. Enabling only ftp inspection may minimize the amount of the router's cpu power consumed by CBAC. I think CBAC inspection supports passive ftp:

http://www.cisco.com/warp/public/110/iosfwfaq.html#qa5

HTH,

Mustafa

0 Helpful

ggatten
Level 1
Level 1
In response to mhussein

‎04-08-2005 07:10 AM

No CBAC, just have plain old IP feature set.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card