ACL for FTP

leungcm · ‎08-03-2007

Hi,

We add the ACL on the route for ftp service but we can login, we cannot "ls" or "dir". is it something missing? please advice

access-list 150 permit tcp any eq ftp host 202.x.x.x

access-list 150 permit tcp any eq ftp-data host 202.x.x.x

access-list 150 permit tcp any 202.x.x.x range ftp-data ftp

Pavel Bykov · ‎08-03-2007

(depending on the software used)FTP also establishes connection on dynamically negotiated ports (over 1023).

access-list 150 permit tcp any gt 1023 host 202.x.x.x

access-list 150 permit tcp any 202.x.x.x gt 1023

also, your ACL is two-way. ACLs are always applied in one direction. But i guess you can apply in both direction the same ACL.

This opens up a lot of ports though.

leungcm · ‎08-03-2007

Hi,

any solution that we do not need to open all tcp great than 1024? or any work around? thanks

Best regards

purohit_810 · ‎08-03-2007

Hi,

If you would access FTP server from Outside. Please configure as Below:

I am not able to see ant NAT statement.

interface Ethernet0

ip address 10.1.1.2 255.255.255.0

ip nat inside

!

interface Serial0

ip address 192.168.10.1 255.255.255.252

ip nat outside

!

ip nat service list 10 ftp tcp port 2021

ip nat inside source static 10.1.1.1 20.20.20.1

!--- Static NAT translation for inside local address 10.1.1.1

!--- to inside global address 20.20.20.1.

!

access-list 10 permit 10.1.1.1

Trouble shooting commands:

sh logs

Show ip nat translations

Regards,

Dharmesh Purohit