cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1360
Views
0
Helpful
6
Replies

Need help with an ACl on a 6509 Switch

davidmoody
Level 1
Level 1

I am attempting to block all FTP traffic on port 21 from the servers in my network, and only allow FTP from one server to go out.

I have created the following ACL

access-list 101 Permit ip any any

access-list 101 Permit 21 1.1.1.1 0.0.0.0 any

access-list 101 Deny 21 any any

and have applied it to my truck VPN that goes up to my firewall

int Vlanxxx

ip access-group 101 out

But when i test ftp is still allowed by all servers.

Please help me as I need to have this installed by tonight Oct 4, 2012

Thanks

6 Replies 6

John Blakley
VIP Alumni
VIP Alumni

Try this:

access-list 101 permit tcp host 1.1.1.1 0.0.0.0 any eq 21

access-list 101 deny tcp any any eq 21

access-list 101 permit ip any any

If you have the 1 vlan and all of your servers are in it, you can do this in the inbound direction:

int vlanxxxx

ip access-group 101 in

ACLs read from the top down, so your first line is allowing everything through which is effectively like not having an acl on the interface at all. That's why everything is still allowed out.

HTH,

John

*** Please rate useful posts ***

HTH, John *** Please rate all useful posts ***

thanks but I have many VLANs and this is the one that is trunked up to the firewall device.

Would this still work

Yes, you'd put it in the outbound direction in that case. It would permit the single host addressed at 1.1.1.1 to go out of the vlan interface to a host on vlanxxx and then deny everyone else for ftp traffic.

HTH, John *** Please rate all useful posts ***

Hello David,

well known port TCP 21 is on the server side. if the server is internal to your network you would need

access-list 102 permit tcp host 1.1.1.1 eq 21 any

access-list 102 deny tcp any eq 21 any

access-list 102 permit ip any any

int vlan X

description SVI to FW

ip access-group 102 out

!

Hope to help

Giuseppe

When I attempt to use the configurations above the switch becomes non reaachable as I am attempting to do this over a VPN connection.

So the question is do I need to insert the config as follows

access-list 102 permit ip any any

access-list 102 permit tcp host 1.1.1.1 eq 21 any

access-list 102 deny tcp any eq 21 any

ip access-group 102 out

No. Your configuration as stated above isn't doing what you want it to do. You put your "permit ip any any" line after all of your denies because of the top down rule and implicit deny at the end of the acl. Try to simplify things at first and just do the deny ftp rule and then permit everything else.

access-list 102 deny tcp any eq 21 any

access-list 102 permit ip any any

Then apply it outbound.

HTH, John *** Please rate all useful posts ***