I am having trouble configuring FTP ports in my access-lists. I do not know whether the FTP data port(port 20?)should be configured for the incoming or outgoing access-list. I am logging denied attempts at access and the log shows the incoming request as coneccting, but the outgoing is denied on some random port. I appreciate any assistance that you may give.
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations derfloh on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Direction of FTP ports
- Thread starter Mardawg
- Start date
I'm assuming you are using an extended access list and<br>
you are filtering based on TCP traffic. On your outbound<br>
interface you need to either specify access on a port <br>
greater than 1024 or you can used ESTABLISHED. As an <br>
example, a remote client with an IP address of 10.0.0.10<br>
is accessing your FTP server with an IP address of <br>
172.0.0.10.<br>
<br>
ip access-list extended Serial0(IN)<br>
permit tcp host 10.0.0.10 host 172.0.0.10 range ftp ftp-data<br>
ip access-list extended Serial0(OUT)<br>
permit tcp host 10.0.0.10 established<br>
<br>
If the host 10.0.0.10 established the connection, then<br>
all tcp traffic will be permitted out of your interface.<br>
You've already defined what type of connection they are <br>
permitted to establish by the access-list on the inbound <br>
interface. This could also be configured as;<br>
<br>
ip access-list extended Serial0(IN)<br>
permit tcp host 10.0.0.10 host 172.0.0.10 range ftp ftp-data<br>
ip access-list extended Serial0(OUT)<br>
permit tcp host 172.0.0.10 host 10.0.0.10 gt 1024<br>
<br>
Since FTP will use a random port above 1024 for the<br>
return. All you need to do is apply either of the<br>
above access-lists to your interface<br>
<br>
Serial0<br>
ip access-group Serial0(IN) in<br>
ip access-group Serial0(OUT) out<br>
<br>
Either of the above should work, give either a try.<br>
I am not an expert on access lists and find them very <br>
confusing, so any further input is welcome.<br>
<br>
you are filtering based on TCP traffic. On your outbound<br>
interface you need to either specify access on a port <br>
greater than 1024 or you can used ESTABLISHED. As an <br>
example, a remote client with an IP address of 10.0.0.10<br>
is accessing your FTP server with an IP address of <br>
172.0.0.10.<br>
<br>
ip access-list extended Serial0(IN)<br>
permit tcp host 10.0.0.10 host 172.0.0.10 range ftp ftp-data<br>
ip access-list extended Serial0(OUT)<br>
permit tcp host 10.0.0.10 established<br>
<br>
If the host 10.0.0.10 established the connection, then<br>
all tcp traffic will be permitted out of your interface.<br>
You've already defined what type of connection they are <br>
permitted to establish by the access-list on the inbound <br>
interface. This could also be configured as;<br>
<br>
ip access-list extended Serial0(IN)<br>
permit tcp host 10.0.0.10 host 172.0.0.10 range ftp ftp-data<br>
ip access-list extended Serial0(OUT)<br>
permit tcp host 172.0.0.10 host 10.0.0.10 gt 1024<br>
<br>
Since FTP will use a random port above 1024 for the<br>
return. All you need to do is apply either of the<br>
above access-lists to your interface<br>
<br>
Serial0<br>
ip access-group Serial0(IN) in<br>
ip access-group Serial0(OUT) out<br>
<br>
Either of the above should work, give either a try.<br>
I am not an expert on access lists and find them very <br>
confusing, so any further input is welcome.<br>
<br>
- Status
Similar threads
- Locked
- Question
- Locked
- Question