10-04-2012 10:35 AM - edited 03-07-2019 09:17 AM
I am attempting to block all FTP traffic on port 21 from the servers in my network, and only allow FTP from one server to go out.
I have created the following ACL
access-list 101 Permit ip any any
access-list 101 Permit 21 1.1.1.1 0.0.0.0 any
access-list 101 Deny 21 any any
and have applied it to my truck VPN that goes up to my firewall
int Vlanxxx
ip access-group 101 out
But when i test ftp is still allowed by all servers.
Please help me as I need to have this installed by tonight Oct 4, 2012
Thanks
10-04-2012 11:09 AM
Try this:
access-list 101 permit tcp host 1.1.1.1 0.0.0.0 any eq 21
access-list 101 deny tcp any any eq 21
access-list 101 permit ip any any
If you have the 1 vlan and all of your servers are in it, you can do this in the inbound direction:
int vlanxxxx
ip access-group 101 in
ACLs read from the top down, so your first line is allowing everything through which is effectively like not having an acl on the interface at all. That's why everything is still allowed out.
HTH,
John
*** Please rate useful posts ***
10-04-2012 11:33 AM
thanks but I have many VLANs and this is the one that is trunked up to the firewall device.
Would this still work
10-04-2012 11:51 AM
Yes, you'd put it in the outbound direction in that case. It would permit the single host addressed at 1.1.1.1 to go out of the vlan interface to a host on vlanxxx and then deny everyone else for ftp traffic.
10-04-2012 11:58 AM
Hello David,
well known port TCP 21 is on the server side. if the server is internal to your network you would need
access-list 102 permit tcp host 1.1.1.1 eq 21 any
access-list 102 deny tcp any eq 21 any
access-list 102 permit ip any any
int vlan X
description SVI to FW
ip access-group 102 out
!
Hope to help
Giuseppe
10-04-2012 12:51 PM
When I attempt to use the configurations above the switch becomes non reaachable as I am attempting to do this over a VPN connection.
So the question is do I need to insert the config as follows
access-list 102 permit ip any any
access-list 102 permit tcp host 1.1.1.1 eq 21 any
access-list 102 deny tcp any eq 21 any
ip access-group 102 out
10-04-2012 01:32 PM
No. Your configuration as stated above isn't doing what you want it to do. You put your "permit ip any any" line after all of your denies because of the top down rule and implicit deny at the end of the acl. Try to simplify things at first and just do the deny ftp rule and then permit everything else.
access-list 102 deny tcp any eq 21 any
access-list 102 permit ip any any
Then apply it outbound.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide