Re: FTP traffic

cp165125 · ‎11-02-2023

Please disregard this post and any attached messages.

The issue is currently being resolved.

Joseph W. Doherty · ‎11-02-2023

None of the above.

M02@rt37 · ‎11-02-2023

Standard ACLs should be located as close to the destination as possible. If a standard ACL were placed at the source of the traffic, the “permit” or “deny” would occur based on the given source address, regardless of the traffic destination.

Reference:

https://www.ciscopress.com/articles/article.asp?p=3089353&seqNum=7#:~:text=Standard%20ACLs%20should%20be%20located,regardless%20of%20the%20traffic%20destination.

https://learningnetwork.cisco.com/s/question/0D53i00000Ksy3tCAB/standard-and-extended-acl-where-to-place-them

In your case, you need to match a port ; so, extended ACL !

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

Richard Burts · ‎11-02-2023

A standard access control list specifies a source address but can not specify anything about protocols. So this is not the correct choice.

Standard port filter is not part of IOS. So this is not the correct choice.

Extensive access control list is not part of IOS. So this is not the correct choice.

So extended access control list is the correct choice.

HTH

Rick

Joseph W. Doherty · ‎11-02-2023

"So extended access control list is the correct choice."

I assume you assume standard FTP ports are being used? But if they are not, what would such an extended ACL look like?

I only way I can see blocking FTP traffic is with something that does deeper packet inspection.

As the OP is actually worded, I don't consider any of the answers correct.

MHM Cisco World · ‎11-04-2023

if the extensive access control list contain Ports then it is the correct answer.
extensive access control list : this my first time see such as this ACL)
Thanks A Lot
MHM

Joseph W. Doherty · ‎11-04-2023

@MHM Cisco World, like @Richard Burts, I'm unfamiliar with what an "extensive" ACL is. I also did a quick search for it, didn't find any information. Could you provide any Cisco reference links explaining this ACL kind?

BTW, @cp165125, what @Richard Burts suggested as the correct answer, is probably the answer being sought by whoever provided that question. Again, though, the way the question is worded, it's not a correct answer.

BTW, an example of an extended ACL ACE, that would block FTP using the expected assigned port would be:

access-list 100 deny tcp any any eq ftp !ftp symbolic for port 21

Such could be used on an ingress ACL on the Internet facing interface.

Again, as FTP can use any port, so the above ACE will not block all possible FTP traffic, but an ACL ACE to block such usage would be:

access-list 100 deny tcp any any range 0 65535

A problem with the foregoing, although it would block FTP, it also effectively blocks all other TCP traffic too.

In my reply to Rick, I mentioned something that does deeper packet inspection might work. One possible feature, that Cisco often supports on routers might be to use NBAR. The reason for might, sometimes NBAR is nothing more than a pretty face for an ACE. However, for FTP, some NBAR documentation has:

Internet

FTP

TCP

21, 21000, Heuristic

File Transfer Protocol

ftp

Cisco IOS XE Release 2.3

The word of interest, in the above, is "Heuristic", which I believe denotes further deeper packet inspection is done.

I.e. NBAR might match FTP using any port.

If so, using it would be something like:

class-map match-any FTP
 match protocol ftp

policy-map BlockFTP
 class FTP
  drop

Using the above service-policy as an ingress policy on the Internet facing interface.

Deleted - Action is Being Taken