Access-List Problem 2

[dlord]

This is probably really simple, and I'll feel dumb when I figure it out...but does anyone know how to help me. Here is the problem.

I have an FTP server on e0 and and FTP server on e1. I must restrict access, using access lists, so that only FTP is allow to BOTH servers. There are FTP clients on both interfaces that must ftp to the FTP server at the other interface.

The problem I'm having is with the in | out feature. I can get an FTP client on E0 to connect to an FTP server on E1 using the "access-group in" command. But...as soon as I do that, I can't connect to the FTP server on E0 using the FTP client on E1. So...I've added a second "access-group out" command, and that kills both sides.

This is what I've tried (doesn't work)

int e0
ip address 10.10.10.10 255.255.255.0
ip access-group 101 in
ip access-group 102 out

int e1
ip address 10.20.20.20 255.255.255.0

access-list 101 permit tcp any any eq ftp
access-list 101 permit tcp any any eq ftp-data
access-list 102 permit tcp any any eq ftp
access-list 102 permit tcp any any eq ftp-data

Any help would be greatly appreciated.

 

[CCIEWANNABE]

t e0
ip address 10.10.10.10 255.255.255.0
ip access-group 101 in

int e1
ip address 10.20.20.20 255.255.255.0
ip access-group 102 in

access-list 101 permit 10.10.10.10.0.0.0.0 10.20.20.20 eq ftp
access-list 101 permit 10.10.10.10.0.0.0.0 10.20.20.20 eq ftp-data
access-list 102 permit 10.20.20.20 0.0.0.0 10.10.10.10 eq ftp
access-list 102 permit 10.20.20.20 0.0.0.0 10.10.10.10 eq ftp-data
access-list 101 remark end of the list notice
access-list 101 permit ip any any
access-list 102 remark end of the list notice
access-list 102 permit ip any any
This will allow FTP information into the interfaces.
Any one trying to connect thru FTP from ether subnets wont be allowed out.
Try placing an access list group in statement on the serial link. "Out statements" deny packets out of the routeing interface. "In statements" deny packets from getting into the routing interface.

You must apply it to the interface before it becomes effective and to a group. Verify your required interface Commands, and Group Command requirements.
One additional Note: Older IOS versions do not recognize abbreviated terms such as www; ftp, snmp etc. I FEEL it would be a better security style. Even good protocols carry threats. See if this might work

 

[sobak]

On a side note, I have a configuration a lot like this. On my client systems I had to enable Passive FTP in order for them to connect to my server. If you haven't attempted to place the client in Passive FTP mode you might want to try that.


david e
*end users are just like computers, some you can work with...others just need a simple reBOOTing to fix their problems.*

 

[CCIEWANNABE]

Do not enable PASV FTP if not needed. If you do limit the port ranges. In Passive FTP the client will make both connections to the server, but one of them will be to a random high port. In any case this is off topic.