Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
681
Views
0
Helpful
3
Replies

Reflective access lists

ohareka70
Level 3
Level 3

‎06-06-2012 09:04 AM - edited ‎03-07-2019 07:06 AM

Hello,

I have an FTP server that sits behind a cisco 1801 router.  I have locked the router down with a reflective access list to only allow through port 80 and 443.  But now i want to add in ftp ports 21 and 20.  I have added them in but i cant get it working via ftp.

From the internet i can get a prompt to login to the ftp server but i dont think it has a route back.

If i plug into the LAN and give my laptop an ip address on the same range as the server (192.168.2.100) then FTP works fine - so i know the server is ok

192.168.2.100       is the IP address of FTP server

1.2.3.4                 is BT external address

could someone take a look at my config please?

regards,

Kevin

Labels:
129313-reflective ACL.txt.zip
0 Helpful
3 Replies 3

Kevin P Sheahan
Level 5
Level 5

‎06-06-2012 09:40 AM

Your config looks fine, when this is attempted from the outside do you see any hits/timers on ACE's for access-list FTPOUTB?

If so, please paste what you see.

Kind Regards,

Kevin

**Please remember to rate helpful posts as well as mark the question as 'answered' once your issue is resolved. This will help others to find your solution faster.

Kind Regards, Kevin Sheahan, CCIE # 41349
0 Helpful

ohareka70
Level 3
Level 3
In response to Kevin P Sheahan

‎06-07-2012 02:11 AM

I am getting matches on ftp coming in but nothing going back.  Should FTPOUT be renamed FTPIN2?

rtr#sh access-lists


Extended IP access list d0_in
    100 permit tcp any host 1.2.3.4 eq www log reflect WWWIN2 (12903 matches)
    110 permit tcp any host 1.2.3.4 eq 443 log reflect HTTPS_IN2 (9 matches)
    180 permit tcp any host 1.2.3.4 eq ftp log reflect FTPIN2 (88 matches)

Extended IP access list d0_out
    100 permit tcp host 1.2.3.4 any eq www log reflect WWWOUT (553 matches)
    110 permit tcp host 1.2.3.4 any eq 443 log reflect HTTPSOUT (369 matches)
    120 permit udp host 1.2.3.4 any eq domain log reflect DNSUDP (149 matches)
    80  permit tcp host 1.2.3.4 any eq ftp log reflect FTPOUT
    170 permit tcp host 1.2.3.4 any eq ftp-data log reflect FTPOUTB

0 Helpful

ohareka70
Level 3
Level 3
In response to ohareka70

‎06-07-2012 05:54 AM

More info: if i put in the following my ftp to the outside works.

#ip access-list extended d0_out

  permit tcp host 1.2.3.4 any

But i dont want to open it up to IP.  I want to lock it down to ftp, www and 443 only.  Its just the ftp thats causing me problems.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card