ACL Problem with FTP

[WANguy2k]

I have an external internet router connected to a PIX firewall with a DMZ and an internal network. For additional security I put an ACL on the external router where I deny access to networks that port scan us, send spam, etc.

I have an FTP server in the DMZ. If I take the ACL off the external router, people can get to the FTP site. If I put it back on, they can't, so I know the problem is the ACL, not the PIX. I think people who use an FTP client can do it, but if they use Internet Explorer and try to open the site they get a time out.

Here are the entries I have in the ACL to allow traffic to the FTP site:

access-list 100 permit tcp any gt 1023 host 65.225.99.67 eq ftp
access-list 100 permit tcp any gt 1023 host 65.225.99.67 eq ftp-data

Here's what shows up in the log:

Feb 1 14:44:10.681: %SEC-6-IPACCESSLOGP: list 100 denied tcp 24.39.143.30(1447) -> 65.225.99.67(1144), 2 packets
Feb 1 14:57:35.359: %SEC-6-IPACCESSLOGP: list 100 denied tcp 24.39.143.30(1528) -> 65.225.99.67(1145), 1 packet
Feb 1 14:58:23.912: %SEC-6-IPACCESSLOGP: list 100 denied tcp 24.39.143.30(1528) -> 65.225.99.67(1145), 2 packets
Feb 1 14:59:57.492: %SEC-6-IPACCESSLOGP: list 100 denied tcp 24.39.143.30(1588) -> 65.225.99.67(1147), 1 packet

 

[KiscoKid]

It sounds like you may be running a particular mode of FTP, i.e. passive or active. Each of them behave in slightly different ways but they do require certain ports to be opened on an access list/firewall for it to work properly.

Peruse the following URL for a breakdown about each FTP type and their operations. He goes into good detail about what ports are used and therefore need opening on the access list.

http://slacksite.com/other/ftp.html

Hope this helps