Re: Access List Probz

Anand Narayana · ‎09-25-2007

Hi,

i have access-list problem, my requirement is i wanted to permit 61.1.1.48 to access a public IP 202.1.1.1, which is a FTP server. so i have permitted ONLY FTP access outside for 61.1.1.48.where as other ip address in the same series 61.1.1.0/24 they are permitted to access any ports outside.

interface serial 0/0/0

ip address 1.1.1.1 255.255.255.252

ip access-group 101 out

ip access-group 102 in

interface fas 0/0

ip address 61.1.1.1 255.255.255.0

access-list 101 deny ip host 61.1.1.48 any

access-list 101 permit tcp host 61.1.1.1 host 202.1.1.1 eq 21

access-list 101 permit ip any any

access-list 102 permit ip any any

when i issue this in my router, i get this message. when i do ftp to 202.1.1.1 from 61.1.1.48

C:\>ftp 202.1.1.1

Connected to 202.1.1.1.

Connection closed by remote host.

please correct me where ever i have done mistake on this.

Jon Marshall · ‎09-25-2007

Hi

Can you recheck your acl 101 ie.

access-list 101 deny ip host 61.1.1.48 any

access-list 101 permit tcp host 61.1.1.1 host 202.1.1.1 eq 21

access-list 101 permit ip any any

1) your first line denies 61.1.1.48 from any access so it doesn't matter what else is in the acl.

2) Is line 2 meant to say 61.1.1.148 instead of 61.1.1.1 ?

If so you need to update the line and move it to the top of the acl.

HTH

Jon

Anand Narayana · ‎09-25-2007

sorry it was actually 61.1.1.48 only, it was my mistake while typing in this form.

access-list 101 deny ip host 61.1.1.48 any

access-list 101 permit tcp host 61.1.1.48 host 202.1.1.1 eq 21

access-list 101 permit ip any any

Jon Marshall · ‎09-25-2007

Hi

You still have the same problem with the order of your acl lines.

The first line denies ip from that 61.1.1.148. IP includes tcp and udp so it will never get to the second line.

Jon

Anand Narayana · ‎09-25-2007

yeah i still face the same probz,

you wanted me to try adding the UDP also?

Jon Marshall · ‎09-25-2007

No you should need udp for ftp.

Could you send updated access-list. Remember that ftp uses more than just one port and you have only allowed one port through. Try adding TCP port 20 as well as TCP port 21 to your acl.

This still may not work - do you know which kind of FTP you are using, active or passive ?

Jon

Anand Narayana · ‎09-25-2007

i tried with GUI FTP client(Filezilla) which is by default in PASSIVE mode.

so shall i go head with the below ACL?

access-list 101 deny ip host 61.1.1.48 any

access-list 101 permit tcp host 61.1.1.48 host 202.1.1.1 eq 20

access-list 101 permit tcp host 61.1.1.48 host 202.1.1.1 eq 21

access-list 101 permit ip any any

if so, then i will go head in putting this ACL in my router .

Jon Marshall · ‎09-25-2007

Hi

Try this and let me know result. Note that i have reordered lines.

access-list 101 permit tcp host 61.1.1.48 host 202.1.1.1 eq 20

access-list 101 permit tcp host 61.1.1.48 host 202.1.1.1 eq 21

access-list 101 deny ip host 61.1.1.48 any

access-list 101 permit ip any any

Jon

Anand Narayana · ‎09-25-2007

k fine will try & let you know ny tomorrow, as the remote end every one has left for the day.

Jon Marshall · ‎09-25-2007

Okay no problem.

Had a quick check on passive mode. If the access-list you have doesn't work try

access-list 101 permit tcp host 61.1.1.48 host 202.1.1.1 eq 21

access-list 101 permit tcp host 61.1.1.48 host 202.1.1.1 range 1025 65535

access-list 101 deny ip host 61.1.1.48 any

access-list 101 permit ip any any

Jon

Anand Narayana · ‎09-27-2007

Hi Marshall,

it was extremelly helpfull & it worked out with this command itself, thankz for valuable response.