Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Rhinorhino on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

ACL FTP not working 1

Status
Not open for further replies.
dvtestguy

dvtestguy

Technical User
Joined
Dec 8, 2005
Messages
109
Location
US
Configured ACL's for Firewalls, and FTP is/isn't working? I can FTP to Server2, however, cannot use half the commands, i.e., ftp> ls, ftp> get, etc...

ftp> ls
200 PORT command successful (this is where it hangs).

I thought using both ftp-data tcp/udp would work?

Any ideas?

Server1 10.15.8.240 <-> 7513 NAT <-> 7204 ACL Firewall <-> Server2 10.115.28.20/10.15.12.40 (NAT)

access-list 102 permit icmp 10.0.0.0 0.255.255.255 any
access-list 102 permit tcp any 10.0.0.0 0.255.255.255 established
access-list 102 deny ip any any
access-list 103 permit udp host 10.10.1.10 eq ntp any
access-list 103 permit icmp 10.0.0.0 0.255.255.255 any
access-list 103 permit tcp host 10.15.8.240 host 10.115.28.20 eq telnet
access-list 103 permit tcp host 10.15.8.240 host 10.115.28.20 eq ftp
access-list 103 permit tcp host 10.15.8.240 host 10.115.28.20 eq ftp-data
access-list 103 permit udp host 10.15.8.240 host 10.115.28.20 eq ftp-data
access-list 103 permit tcp 10.115.28.20 255.255.255.255 host 10.15.8.240 eq 80
access-list 103 permit tcp any 10.0.0.0 0.255.255.255 established
access-list 103 deny ip any any
 
Sort by date Sort by votes
Do you know if your server is using passive or active ftp? Each behave slightly differently but whichever mode you have may influence what ports you need to open.

In both modes, the ftp client initiates a connection to the server's control port (21). But then this is where active and passive differ as in active mode, the server responds back to the client directly whereas in passive mode, the client initiates a connection to a random high port on the server to initiate a data transfer.

So if you are using passive mode (a lot of FTP servers do by the way), try addin the following as well:

access-list 103 permit tcp host 10.15.8.240 host 10.115.28.20 gt 1023
 
Upvote 0 Downvote
KiscoKid, do I need to take out both ftp-data statements with "access-list 103 permit tcp host 10.15.8.240 host 10.115.28.20 gt 1023"?

If not, what order am I looking at here?

Thanks again
 
Upvote 0 Downvote
No. Keep your existing ACL as it is and just add what I've recommended. Regarding order, just make sure the new permit statement goes before the last line in ACL 103 that denies all IP traffic.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Mogles49
  • Locked
  • Question Question
Firewall ACL question
Replies
1
Views
362
burtsbees
burtsbees
telemarksman
  • Locked
  • Question Question
ATA Cisco SPA122 not triggering single line courtesy phone ringer
Replies
0
Views
313
telemarksman
telemarksman
serge9
  • Locked
  • Question Question
Cisco GUI on cme stop working
Replies
2
Views
531
serge9
serge9
acabezas2014
  • Locked
  • Question Question
Create ACL for ip range
Replies
2
Views
389
acabezas2014
acabezas2014
newglide
  • Locked
  • Question Question
Archive via ftp
Replies
0
Views
254
newglide
newglide

Part and Inventory Search

Sponsor

Back
Top