ftp access-list

[jvande]

Ok, so I have my ftp access-list as the following
access-list 101 permit tcp any any eq 21
access-list 101 permit tcp any any eq 20
access-list 101 permit tcp any any gt 1023

FTP works fine but, what kind of access list allows all ports over 1023 to be open. Is there a way around there an alternitive way to allow ftp to work but dissallowing all ports gt 1023 to be open? Because an access list with gt 1023 in it isn't much of a firewall.


Thanks much,
Josh

 

[Bluecrack]

Just curious, why did you allow ports > 1023? Also is the access-list applied to the internal interface or external interface?

Jason

 

[bobthecat]

Hi, on the Cisco firewall feature set they have something called CBAC (context based access control), this dynamic port mapping that creates a temporary opening in the access list at the firewall interface. The traffic it allows back must be part of the same session that triggered the CBAC. This would allow you to block ports above 1023 but still have FTP data access for sessions initiated from the inside of your firewall. I have not used this but possible someone else could enlighten us on it operation.

Bob ^^

 

[Niall22]

Here's how I'm using CBAC.

Add the lines you need from this (probably just FTP)
to the global configuration:

ip inspect name FastEthernet_0_1 smtp
ip inspect name FastEthernet_0_1 ftp
ip inspect name FastEthernet_0_1 tcp
ip inspect name FastEthernet_0_1 udp

Then on your WAN interface add the following lines:

ip inspect FastEthernet_0_1 in
ip inspect FastEthernet_0_1 out

Note: You can use any name you want for CBAC, I choose the name of the interface it applied to.

Hope this helps,

Niall

 

[Bluecrack]

I forgot that I set this up on a little-used router several months ago and it appears to work fine. After looking at this I set an explicit deny all traffic coming into the firewall from the outside.

Thanks for the reminder Bob!

Jason