Blocking FTP connections for specific clients

Unanswered Question
Feb 14th, 2007

Hi. My core switch has 2 vlan interfaces, vlan85 for users and vlan100 for servers. I would like to allow a few certain IPs from vlan85 users to my FTP server. Can this be done without actually needing to define access to all the other services (my users need access other machines using ssh, telnet, web etc.)

Thanks.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Thu, 02/15/2007 - 01:56

Hi

Assuming you client vlan is 192.168.5.0/24 and 192.168.5.10 & 11 are the clients you want to allow to ftp

access-list RESTRICT permit tcp host 192.168.5.10 host "ftp server ip" eq 20

access-list RESTRICT permit tcp host 192.168.5.10 host "ftp server ip" eq 21

access-list RESTRICT permit tcp host 192.168.5.11 host "ftp server ip" eq 20

access-list RESTRICT permit tcp host 192.168.5.11 host "ftp server ip" eq 21

access-list RESTRICT deny any host "ftp server ip" eq 20

access-list RESTRICT deny any host "ftp server ip" eq 21

access-list RESTRICT permit ip any any

Apply this inbound on the vlan 85 interface.

HTH

Jon

daviddtran Thu, 02/15/2007 - 09:00

The ACLs which contain port 20 is overkill.

If you block command and control port (21),

there is no point in blocking data transfer

port (20).

Besides, the acl for port 20 is useless if the

user(s) use Active ftp.

David

Jon Marshall Thu, 02/15/2007 - 09:55

David

Having port 20 in the access-list is hardly overkill to be honest. It's a layer 3 switch and a 7 line access-list should really be okay. i was trying to explain the concept of access-list order and as most people know ftp works on 2 ports i thought it should have both. It really won't do any harm.

Agreed on the active ftp but some people do use passive :-)

Jon

daviddtran Thu, 02/15/2007 - 11:06

The point I am trying to make here is that

it is NOT necessary to do so. Imagine if you

do it in the Security lab, you will fail. Once

you block command and control port (tcp port

21) , it is irrelevant to block tcp port 20.

You will not get any hits in this ACL line.

David

CCIE Security

Jon Marshall Thu, 02/15/2007 - 11:28

Okay well that's a bit of worry as Cisco doc for blocking ftp shows both ports being blocked

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_example09186a0080100548.shtml#denyftp

So follow their example and fail the lab !.

Point i was trying to make was that we aren't taking a lab. May not be necessary but won't do any harm either.

Anyway lets not get into an argument about it. The access-list will work whether port 20 is included or not and there will be no adverse effects whichever the original poster uses.

Jon

Actions

This Discussion