08-31-2009 08:27 AM - edited 03-06-2019 07:31 AM
I am working at a customer site today and have an issue with an FTP transfer. The user initiates an FTP transfer from his server to a public FTP site. He is able to login OK but then cannot list or transfer files.
We have an Access-list on the VLAN that he is a member of. We know that the Access-list is denying the connection attempt as we can see it in the log. It matches the list statement which is 730 "deny ip any any log (748433 matches)" and then we see this is the log "Aug 31 12:04:16.765: %SEC-6-IPACCESSLOGP: list LoSCADA-vlan104 denied tcp 66.112.157.210(20) -> 192.168.104.59(4534), 1 packets"
Here is the statement we have to permit this in the ACL itself:
"221 permit tcp host 66.112.157.210 host 192.168.104.59 eq ftp-data"
Here is the configured statement on the VLAN interface:
"ip access-group LoSCADA-vlan104 out".
I need help to figure out why my ACL statement is not correctly written. When I remove the ACL from the interface, the FTP transfer works.
Solved! Go to Solution.
08-31-2009 08:53 AM
"denied tcp 66.112.157.210(20) -> 192.168.104.59(4534), "
"221 permit tcp host 66.112.157.210 host 192.168.104.59 eq ftp-data"
Perhaps try:
221 permit tcp host 66.112.157.210 eq ftp-data host 192.168.104.59
08-31-2009 08:52 AM
In your ACL, you have 192.168.104.59 with the server port but your current task is not of a server but of a client.
Your FTP server is initiating the transfer so its function is of a FTP client. FTP client will use a random high port (1024 and above).
HTH,
__
Edison.
08-31-2009 08:53 AM
"denied tcp 66.112.157.210(20) -> 192.168.104.59(4534), "
"221 permit tcp host 66.112.157.210 host 192.168.104.59 eq ftp-data"
Perhaps try:
221 permit tcp host 66.112.157.210 eq ftp-data host 192.168.104.59
08-31-2009 09:02 AM
Hi,
Could you post the config of the ACL ?
Thanks
Laurent.
08-31-2009 09:06 AM
Hi,
Could you post the config of the ACL ?
Thanks
Laurent.
08-31-2009 10:13 AM
08-31-2009 02:00 PM
Hi,
I asked for the ACL just in case but the correct explanation has already been provided by Edison and Joseph.
Laurent.
08-31-2009 10:27 PM
hello
can u try
permit tcp any any established
also what about ftp control port (21)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide