ACL configuration
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-29-2012 07:44 PM - edited 03-07-2019 05:16 AM
Hi all,
I want to set ACL for both FTP servers so that both can act as FTP servers, can I set below ACL to acheive it ?
Below is the network topology
FTP server A (192.168.0.1)-->RouterA ---Wan link ----Router B ----FTP server B (192.168.1.1)
Router A ACL
permit tcp host 192.168.0.1 host 192.168.1.1 range 20 21
ip access-group LAN in
Router B ACL
permit tcp host 192.168.1.1 host 192.168.0.1 range 20 21
ip access-group LAN in
- Labels:
-
LAN Switching
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-29-2012 07:46 PM
I don't know do I need to set reply ACL
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-05-2012 06:55 AM
Hi
First of all if possible do not use FTP, it is unsafe and a stupid protocol anyway you look at it.
Go with something like SFTP instead, that will make your life less vulnerable and configuration much easier.
Why not ftp ?
well first of all anyone on the way out can sniff your username and password since it is in cleartext. FTP is directly firewall hostile. and you do not know your data will be sent from A to B without information changing.
If possible do not use the standard SFTP port.
FTP needs to be looked at from the firewalls and routers with access-lists point of view, It needs some form of deep packet inspection or ALG to know what to open and how.
So do yourself a favour and use something different than FTP.
If nothing else it will make your configuration much easier. (no FTPS is not the answer)
If you need a reply ACL or not is entierly up to how you have setup your routers before.
Good luck
HTH

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-06-2012 08:38 PM
You need to look up the difference between active and passive FTP. That will make understanding your acl needs much clearer.
Sent from Cisco Technical Support iPad App
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-11-2012 07:40 PM
This is fine, but you also need the
no ip ftp passive
global configuration command on the client router. Overall I agree with the other suggestions that FTP is not the best protocol to use, something like SCP, SFTP, or enabling IPSec for the particular FTP traffic would be preferable.
