Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Access list to allow ftp 1

Status
Not open for further replies.
hinesjrh

hinesjrh

MIS
Jan 4, 2005
260
US
I currently have the following access lists in place on a remote router (10.27.0.1 255.255.255.0). I need to add the ability to allow ftp from this remote router to a server in my DMZ (10.253.0.0 255.255.0.0) at my host data center location. We've installed a temporary job site camera at the remote (10.27.0.62), and we want to transfer images via ftp back to our ftp server here. I attempted to add access-list 101 permit tcp host 10.27.0.62 host 10.253.0.95 eq ftp
access-list 101 permit tcp host 10.27.0.62 host 10.253.0.95 eq ftp-data, but then I lost web access to the camera and to my servers there. What does my 'permit' statement(s) need to look like?

access-list 101 permit udp any any eq 47808
access-list 101 deny udp any any eq 8998 log
access-list 101 deny tcp any any eq 402 log
access-list 101 deny tcp any any range 666 765 log
access-list 101 deny udp any any eq 707 log
access-list 101 permit udp any host 10.1.1.119 eq tftp
access-list 101 permit udp any host 172.20.1.100 eq tftp
access-list 101 permit udp any host 172.20.1.101 eq tftp
access-list 101 permit udp any host 10.1.1.119 eq syslog
access-list 101 deny udp any any eq tftp log
access-list 101 permit tcp any host 10.1.0.150 eq 135
access-list 101 permit tcp any host 10.1.0.152 eq 135
access-list 101 permit tcp any host 10.1.0.154 eq 135
access-list 101 permit tcp any host 10.1.0.92 eq 135
access-list 101 permit tcp 10.0.0.16 0.255.0.0 any eq 135
access-list 101 permit tcp any host 10.253.0.65 eq 135
access-list 101 permit tcp any host 10.253.0.66 eq 135
access-list 101 permit tcp any host 10.1.0.65 eq 135
access-list 101 permit tcp any host 10.1.0.66 eq 135
access-list 101 permit tcp any host 10.253.0.126 eq 135
access-list 101 deny tcp any any eq 135 log
access-list 101 permit icmp any host 10.1.1.119
access-list 101 permit icmp host 10.1.1.119 any
access-list 101 permit icmp any host 10.1.0.134
access-list 101 permit icmp any host 10.1.1.172
access-list 101 permit icmp host 10.1.1.172 any
access-list 101 permit icmp any host 10.253.0.65
access-list 101 permit icmp any host 10.253.0.66
access-list 101 permit icmp any host 10.1.0.65
access-list 101 permit icmp any host 10.1.0.66
access-list 101 permit icmp any host 10.1.0.150
access-list 101 permit icmp any host 10.1.0.152
access-list 101 permit icmp any host 10.1.0.154
access-list 101 permit icmp any host 10.253.0.126
access-list 101 permit icmp 10.0.0.16 0.255.0.0 any
access-list 101 deny icmp any any log
access-list 101 permit ip any any

access-list 102 permit udp any any eq 47808
access-list 102 deny tcp any any range 666 765 log
access-list 102 deny udp any any eq 707 log
access-list 102 deny udp any any eq 995 log
access-list 102 deny udp any any eq 996 log
access-list 102 deny udp any any eq 997 log
access-list 102 deny udp any any eq 998 log
access-list 102 deny udp any any eq 999 log
access-list 102 permit ip any any

interface Multilink1
ip address 65.119.164.170 255.255.255.252
ip access-group 102 in
ip access-group 101 out
ip nbar protocol-discovery
ppp multilink
ppp multilink group 1
service-policy output WAN-EDGE

 
Sort by date Sort by votes
permit ip host host

That will permit all traffic from host to host, then nothing else, as there is an implicit deny any any at the end, and so all that is written in the acl will be allowed (unless it is denied specifically by the acl), and everything else not mentioned in the acl gets dropped like it's hot...lol...can't believe I just said that...someone smack me in the head...

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!
 
Upvote 0 Downvote
access-list 101 permit tcp host x.x.x.x host y.y.y.y eq 21

That's it. The nomenclature is access-list permit/deny from-ip-address to-ip-address eq-port-number/port-name

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Luzbel
  • Locked
  • Question
Connecting HVAC controller to network
Replies
0
Views
144
Luzbel
Luzbel
Skip Rango
  • Locked
  • Question
how to backup cisco sg500-52p switch
Replies
1
Views
201
madwok
madwok
PThomp3344
  • Locked
  • Question
Trying to connect to Cisco Unified Controller web interface: UC520W-16U-4FXO-K9
Replies
1
Views
170
bdk76
bdk76
WinstonCH
  • Locked
  • Helpful tip
What is wrong with the diagram, there are people who will help to fix it? How do i do the configurat
Replies
1
Views
148
BIS
BIS
DTGMI
  • Locked
  • Question
Moving from Juniper SRX-240 to Cisco ??
Replies
0
Views
115
DTGMI
DTGMI

Part and Inventory Search

Sponsor

Back
Top