03-21-2023 10:44 PM
Hello, experiencing issues setting up an access list for two of 4 subnetworks on a PT-Router in Cisco Packet Tracer.
The goal of the below acls is to permit a device in the 10.8.0.X/24 subnet to communicate to the file server in the subnet 10.2.0.X/24 for ftp services only and vice versa.
10.8.0.2 and 10.2.0.2 are file server ips for their respective subnet.
This access-lists work to set up the connection between client and server however after logging in to use the ftp commands such as "put" or "dir" I receive the errors for any device on either of the subnets.
%Error opening ftp://10.2.0.2/ (Timed out)
%Error opening ftp://10.8.0.2/ (Timed out)
What could be the possible error or omission in the below acls?
access-list 100 permit tcp any eq 20 10.2.0.0 0.0.0.255
access-list 100 permit tcp any 10.2.0.0 0.0.0.255 eq ftp
access-list 100 permit tcp 10.2.0.0 0.0.0.255 eq 20 10.8.0.0 0.0.0.255 established
access-list 100 permit tcp 10.2.0.0 0.0.0.255 eq ftp 10.8.0.0 0.0.0.255 established
access-list 100 permit tcp 10.8.0.0 0.0.0.255 eq 20 10.2.0.0 0.0.0.255 established
access-list 100 permit tcp 10.8.0.0 0.0.0.255 eq ftp 10.2.0.0 0.0.0.255 established
access-list 100 deny ip any any
access-list 101 permit tcp any eq 20 10.8.0.0 0.0.0.255
access-list 101 permit tcp any 10.8.0.0 0.0.0.255 eq ftp
access-list 101 permit tcp 10.8.0.0 0.0.0.255 eq 20 10.2.0.0 0.0.0.255 established
access-list 101 permit tcp 10.8.0.0 0.0.0.255 eq ftp 10.2.0.0 0.0.0.255 established
access-list 101 permit tcp 10.2.0.0 0.0.0.255 eq 20 10.8.0.0 0.0.0.255 established
access-list 101 permit tcp 10.2.0.0 0.0.0.255 eq ftp 10.8.0.0 0.0.0.255 established
access-list 101 deny ip any any
interface Fasthernet0/0
ip access-group 100 in
interface Fasthernet1/0
ip access-group 101 in
03-22-2023 02:58 AM
change the direction of ACL and try again
03-22-2023 03:27 AM
Hi
You can add you pkt file here which makes is easier to help. You need to zip it first.
But looking the config, I'd say you may need change something.
The ACL is based on Source and destination. When you put this like: access-list 100 permit tcp any eq 20 10.2.0.0 0.0.0.255
you are allowing host from anywhere start connection from port 20 to hosts on network 10.2.0.0.
access-list 100 permit tcp any 10.2.0.0 0.0.0.255 eq ftp
And here you are allowing hosts from anywhere stablish connection to network 10.2.0.0 to port 21.
I'd put one more line like this:
access-list 100 permit tcp any 10.2.0.0 0.0.0.255 eq 20
access-list 101 permit tcp any 10.8.0.0 0.0.0.255 eq 20
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide