Deny FTP Access

Unanswered Question
Aug 10th, 2007
User Badges:

If I want to define an access list to prevent any host on subnet from obtaining FTP access to server can I use the single access list statement :-

access-list 101 deny tcp host eq ftp

or, because ftp uses both ports 20 and 21, do I have to enter two seperate statements :-

access-list 101 deny tcp host eq 20


access-list 101 deny tcp host eq 21

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (2 ratings)
deveshkumar Fri, 08/10/2007 - 05:49
User Badges:

single statement would suffice.

However, the acl is on port based, if ftp server is using port other than 21 than ftp still would be allowed.

Better to use NBAR which actually inspect the protocol and can identify ftp data even if ftp service is hosted on different ports.

Here's the link for NBAR:-

Solution purely depends on ur infra. if the destination ftp access also resides in your domain, than u migh t be having knowleged of the port the ftp service is running on...

Marwan ALshawi Fri, 08/10/2007 - 06:01
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

hi there

i think u'd better try the next ACLs which contain the tow ports 20 and 21 of ftp to adviod the standard and passive modes of ftp connections


deveshkumar Fri, 08/10/2007 - 06:18
User Badges:

Not needed bcos 21 is used by server to client..which any will be dropped if not explictly allowed in acl


This Discussion