Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Access List to allow FTP and Ping

Status
Not open for further replies.
bjh60

bjh60

IS-IT--Management
Jan 17, 2002
6
0
0
US
I am looking to define an access list to do the following

Allow FTP traffic from one network to another
Allow ICMP Ping from one network to another
Allow NOTHING ELSE.

Networks are 172.28.1.0 255.255.255.0 and
172.28.2.0 255.255.255.0

I keep trying different things, but end up locking myself up.
Any help would be appreciated.

Thanks
 
Sort by date Sort by votes
access-list 101 permit tcp 172.28.1.0 0.0.0.255 172.28.2.0 0.0.0.255 eq 20
access-list 101 permit tcp 172.28.1.0 0.0.0.255 172.28.2.0 0.0.0.255 eq 21
access-list 101 permit icmp 172.28.1.0 0.0.0.255 172.28.2.0 0.0.0.255 echo

The rest of the traffic will be denied coz router automatically discard unmatched traffic.
 
Upvote 0 Downvote
Where would I apply this access-list - and would it be out or in?

Thanks
 
Upvote 0 Downvote
What side of the router are you on? Are you consoled into the router or VTY?

If you are VTY, you can't just add those access-lists and expect it to allow you access to the router. By applying those to the interfaces, you have locked yourself out of the system--you are not on the access-list. Add another access-list and apply it to your VTY connections:

access-list 103 permit ip <your pc ip> 0.0.0.0 any

I would apply the follwing &quot;inbound&quot; access-lists to the applicable interfaces this way:

172.28.1.x inteface
access-list 101 permit tcp 172.28.1.0 0.0.0.255 172.28.2.0 0.0.0.255 eq 20
access-list 101 permit tcp 172.28.1.0 0.0.0.255 172.28.2.0 0.0.0.255 eq 21
access-list 101 permit icmp 172.28.1.0 0.0.0.255 172.28.2.0 0.0.0.255 echo

172.28.2.x interface
access-list 102 permit tcp 172.28.2.0 0.0.0.255 172.28.1.0 0.0.0.255 eq 20
access-list 102 permit tcp 172.28.2.0 0.0.0.255 172.28.1.0 0.0.0.255 eq 21
access-list 102 permit icmp 172.28.2.0 0.0.0.255 172.28.1.0 0.0.0.255 echo



bob
 
Upvote 0 Downvote
Remember allowing port 20 and 21 will allow PASSIVE ftp only. not active FTP...

Here is why.

Passive,
client >1023 to 21 Server
Client >1023 to 21 server

Active
client >1023 to 21 Server
server 21 to >1023 client

in active the server actually establishes the return connection.

This is all from memory, so i may be a little off...
 
Upvote 0 Downvote
I would check these two sources before deciding what to do about that. There seems to be some questions about the security of that type of statement in a filter list.

Since they are both private networks, access-lists 101 and 102 should cover your needs just fine. if not, just add &quot;EST&quot; to the end of the access-list statement lines, i.e. access-list 102 permit tcp 172.28.2.0 0.0.0.255 172.28.1.0 0.0.0.255 eq 20 est



Source 1

Source 2

Let me know what happens.

bob
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Luzbel
  • Locked
  • Question
Connecting HVAC controller to network
Replies
0
Views
75
Luzbel
Luzbel
Skip Rango
  • Locked
  • Question
how to backup cisco sg500-52p switch
Replies
1
Views
106
madwok
madwok
PThomp3344
  • Locked
  • Question
Trying to connect to Cisco Unified Controller web interface: UC520W-16U-4FXO-K9
Replies
1
Views
94
bdk76
bdk76
Lccarter
  • Locked
  • Question
Cisco CUCM Provisioning and Order Management System
Replies
1
Views
75
Lccarter
Lccarter
WinstonCH
  • Locked
  • Helpful tip
What is wrong with the diagram, there are people who will help to fix it? How do i do the configurat
Replies
1
Views
90
BIS
BIS

Part and Inventory Search

Sponsor

Back
Top