Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
409
Views
0
Helpful
2
Replies

Extended ACL permit FTP only between two sub-networks on an Intranet

murraydevon14
Level 1
Level 1

‎03-21-2023 10:44 PM

Hello, experiencing issues setting up an access list for two of 4 subnetworks on a PT-Router in Cisco Packet Tracer.

The goal of the below acls is to permit a device in the 10.8.0.X/24 subnet to communicate to the file server in the subnet 10.2.0.X/24 for ftp services only and vice versa.
10.8.0.2 and 10.2.0.2 are file server ips for their respective subnet.
This access-lists work to set up the connection between client and server however after logging in to use the ftp commands such as "put" or "dir" I receive the errors for any device on either of the subnets.
%Error opening ftp://10.2.0.2/ (Timed out)
%Error opening ftp://10.8.0.2/ (Timed out)
What could be the possible error or omission in the below acls?

access-list 100 permit tcp any eq 20 10.2.0.0 0.0.0.255
access-list 100 permit tcp any 10.2.0.0 0.0.0.255 eq ftp
access-list 100 permit tcp 10.2.0.0 0.0.0.255 eq 20 10.8.0.0 0.0.0.255 established
access-list 100 permit tcp 10.2.0.0 0.0.0.255 eq ftp 10.8.0.0 0.0.0.255 established
access-list 100 permit tcp 10.8.0.0 0.0.0.255 eq 20 10.2.0.0 0.0.0.255 established
access-list 100 permit tcp 10.8.0.0 0.0.0.255 eq ftp 10.2.0.0 0.0.0.255 established
access-list 100 deny ip any any

access-list 101 permit tcp any eq 20 10.8.0.0 0.0.0.255
access-list 101 permit tcp any 10.8.0.0 0.0.0.255 eq ftp
access-list 101 permit tcp 10.8.0.0 0.0.0.255 eq 20 10.2.0.0 0.0.0.255 established
access-list 101 permit tcp 10.8.0.0 0.0.0.255 eq ftp 10.2.0.0 0.0.0.255 established
access-list 101 permit tcp 10.2.0.0 0.0.0.255 eq 20 10.8.0.0 0.0.0.255 established
access-list 101 permit tcp 10.2.0.0 0.0.0.255 eq ftp 10.8.0.0 0.0.0.255 established
access-list 101 deny ip any any

interface Fasthernet0/0
ip access-group 100 in

interface Fasthernet1/0
ip access-group 101 in

 

 

 

 

 

 

 

 

Labels:
0 Helpful
2 Replies 2

MHM Cisco World
VIP
VIP

‎03-22-2023 02:58 AM

change the direction of ACL and try again 

0 Helpful

Flavio Miranda
VIP
VIP

‎03-22-2023 03:27 AM

Hi

 You can add you pkt file here which makes is easier to help. You need to zip it first. 

But looking the config, I'd say you may need change something. 

The ACL is based on  Source and destination. When you put this like: access-list 100 permit tcp any eq 20 10.2.0.0 0.0.0.255

you are allowing host from anywhere start connection from port 20 to hosts on network 10.2.0.0.


access-list 100 permit tcp any 10.2.0.0 0.0.0.255 eq ftp

And here you are allowing hosts from anywhere stablish connection to network 10.2.0.0 to port 21. 

I'd put one more line like this:

access-list 100 permit tcp any  10.2.0.0 0.0.0.255 eq 20

access-list 101 permit tcp any  10.8.0.0 0.0.0.255 eq 20

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card