Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
407
Views
0
Helpful
5
Replies

Blocking FTP connections for specific clients

fahmyaziz
Level 1
Level 1

‎02-14-2007 10:53 PM - edited ‎03-09-2019 05:24 PM

Hi. My core switch has 2 vlan interfaces, vlan85 for users and vlan100 for servers. I would like to allow a few certain IPs from vlan85 users to my FTP server. Can this be done without actually needing to define access to all the other services (my users need access other machines using ssh, telnet, web etc.)

Thanks.

Labels:
0 Helpful
5 Replies 5

Jon Marshall
Hall of Fame
Hall of Fame

‎02-15-2007 01:56 AM

Hi

Assuming you client vlan is 192.168.5.0/24 and 192.168.5.10 & 11 are the clients you want to allow to ftp

access-list RESTRICT permit tcp host 192.168.5.10 host "ftp server ip" eq 20

access-list RESTRICT permit tcp host 192.168.5.10 host "ftp server ip" eq 21

access-list RESTRICT permit tcp host 192.168.5.11 host "ftp server ip" eq 20

access-list RESTRICT permit tcp host 192.168.5.11 host "ftp server ip" eq 21

access-list RESTRICT deny any host "ftp server ip" eq 20

access-list RESTRICT deny any host "ftp server ip" eq 21

access-list RESTRICT permit ip any any

Apply this inbound on the vlan 85 interface.

HTH

Jon

0 Helpful

daviddtran
Level 1
Level 1
In response to Jon Marshall

‎02-15-2007 09:00 AM

The ACLs which contain port 20 is overkill.

If you block command and control port (21),

there is no point in blocking data transfer

port (20).

Besides, the acl for port 20 is useless if the

user(s) use Active ftp.

David

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to daviddtran

‎02-15-2007 09:55 AM

David

Having port 20 in the access-list is hardly overkill to be honest. It's a layer 3 switch and a 7 line access-list should really be okay. i was trying to explain the concept of access-list order and as most people know ftp works on 2 ports i thought it should have both. It really won't do any harm.

Agreed on the active ftp but some people do use passive :-)

Jon

0 Helpful

daviddtran
Level 1
Level 1
In response to Jon Marshall

‎02-15-2007 11:06 AM

The point I am trying to make here is that

it is NOT necessary to do so. Imagine if you

do it in the Security lab, you will fail. Once

you block command and control port (tcp port

21) , it is irrelevant to block tcp port 20.

You will not get any hits in this ACL line.

David

CCIE Security

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to daviddtran

‎02-15-2007 11:28 AM

Okay well that's a bit of worry as Cisco doc for blocking ftp shows both ports being blocked

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_example09186a0080100548.shtml#denyftp

So follow their example and fail the lab !.

Point i was trying to make was that we aren't taking a lab. May not be necessary but won't do any harm either.

Anyway lets not get into an argument about it. The access-list will work whether port 20 is included or not and there will be no adverse effects whichever the original poster uses.

Jon

0 Helpful
Customers Also Viewed These Support Documents