11-05-2010 05:19 AM - edited 03-06-2019 01:54 PM
Hello ,i have the following problem. I want to enable my internal lan users to have access to ftp servers on the internet. I have created a set of access lists
access-list 100 permit tcp any any eq ftp
access-list 100 permit tcp any any eq ftp-data
and my users can connect to ftp login BUT when the list command is issued the connection fails. I have logged my access list output
SEC-6-IPACCESSLOGP list 100 denied tcp 192.168.100.11(50493) -> 147.102.222.211(26884),/>1 packet
and i can see tha ftp automatically changes the port. How can i make it work?? I have an idea to enable traffic inspection but can i do that on a Catalyst 4507 R-E with supervisor engine V and enterprise services 12.2 IOS??? I have tried to create a class map but on the match statements ftp or port statement is missing. Is that an IOS issue??
Anything i can do to solve the issue is very welcome.
Thanks a lot for your help.
Solved! Go to Solution.
11-05-2010 05:34 AM
Hi,
this issue is very likely caused by passive FTP.
When active FTP is used, the clients connect to port 20 and 21 of the FTP server.
With passive FTP, the data connection will be made between 2 ports > 1023 .
Basically, with an ACL, the only way to get around this would be by allowing :
permit tcp any any range 1023 65535
As you will understand, this will allow any TCP connection on ports > 1023.
On the Catalyst 4507 R-E, I do not believe there is a way to specifically allow passive FTP and block other traffic.
HTH,
Bert
11-05-2010 06:32 AM
Hello ,i have the following problem. I want to enable my internal lan users to have access to ftp servers on the internet. I have created a set of access lists
access-list 100 permit tcp any any eq ftp
access-list 100 permit tcp any any eq ftp-data
and my users can connect to ftp login BUT when the list command is issued the connection fails. I have logged my access list output
SEC-6-IPACCESSLOGP list 100 denied tcp 192.168.100.11(50493) -> 147.102.222.211(26884),/>1 packet
and i can see tha ftp automatically changes the port. How can i make it work?? I have an idea to enable traffic inspection but can i do that on a Catalyst 4507 R-E with supervisor engine V and enterprise services 12.2 IOS??? I have tried to create a class map but on the match statements ftp or port statement is missing. Is that an IOS issue??
Anything i can do to solve the issue is very welcome.
Thanks a lot for your help
Hi,
As per the logs it seems that ftp negoiation is taking greater than 1023 ports after authentication,try with the below acl
access-list 102 permit tcp any any eq 21
access-list 102 permit tcp any eq ftp-data any gt 1023
Hope to Help !!
Ganesh.H
Remember to rate the helpful post
As Bert as already stated the reason i was late with my reply ...that why it was duplicated ..5 points to Bert !!
11-05-2010 05:34 AM
Hi,
this issue is very likely caused by passive FTP.
When active FTP is used, the clients connect to port 20 and 21 of the FTP server.
With passive FTP, the data connection will be made between 2 ports > 1023 .
Basically, with an ACL, the only way to get around this would be by allowing :
permit tcp any any range 1023 65535
As you will understand, this will allow any TCP connection on ports > 1023.
On the Catalyst 4507 R-E, I do not believe there is a way to specifically allow passive FTP and block other traffic.
HTH,
Bert
11-05-2010 06:32 AM
Hello ,i have the following problem. I want to enable my internal lan users to have access to ftp servers on the internet. I have created a set of access lists
access-list 100 permit tcp any any eq ftp
access-list 100 permit tcp any any eq ftp-data
and my users can connect to ftp login BUT when the list command is issued the connection fails. I have logged my access list output
SEC-6-IPACCESSLOGP list 100 denied tcp 192.168.100.11(50493) -> 147.102.222.211(26884),/>1 packet
and i can see tha ftp automatically changes the port. How can i make it work?? I have an idea to enable traffic inspection but can i do that on a Catalyst 4507 R-E with supervisor engine V and enterprise services 12.2 IOS??? I have tried to create a class map but on the match statements ftp or port statement is missing. Is that an IOS issue??
Anything i can do to solve the issue is very welcome.
Thanks a lot for your help
Hi,
As per the logs it seems that ftp negoiation is taking greater than 1023 ports after authentication,try with the below acl
access-list 102 permit tcp any any eq 21
access-list 102 permit tcp any eq ftp-data any gt 1023
Hope to Help !!
Ganesh.H
Remember to rate the helpful post
As Bert as already stated the reason i was late with my reply ...that why it was duplicated ..5 points to Bert !!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide