Access List Probz

Unanswered Question
Sep 25th, 2007

Hi,

i have access-list problem, my requirement is i wanted to permit 61.1.1.48 to access a public IP 202.1.1.1, which is a FTP server. so i have permitted ONLY FTP access outside for 61.1.1.48.where as other ip address in the same series 61.1.1.0/24 they are permitted to access any ports outside.


interface serial 0/0/0

ip address 1.1.1.1 255.255.255.252

ip access-group 101 out

ip access-group 102 in


interface fas 0/0

ip address 61.1.1.1 255.255.255.0



access-list 101 deny ip host 61.1.1.48 any

access-list 101 permit tcp host 61.1.1.1 host 202.1.1.1 eq 21

access-list 101 permit ip any any

access-list 102 permit ip any any


when i issue this in my router, i get this message. when i do ftp to 202.1.1.1 from 61.1.1.48


C:\>ftp 202.1.1.1

Connected to 202.1.1.1.

Connection closed by remote host.


please correct me where ever i have done mistake on this.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jon Marshall Tue, 09/25/2007 - 05:06

Hi


Can you recheck your acl 101 ie.


access-list 101 deny ip host 61.1.1.48 any

access-list 101 permit tcp host 61.1.1.1 host 202.1.1.1 eq 21

access-list 101 permit ip any any



1) your first line denies 61.1.1.48 from any access so it doesn't matter what else is in the acl.


2) Is line 2 meant to say 61.1.1.148 instead of 61.1.1.1 ?


If so you need to update the line and move it to the top of the acl.


HTH


Jon

Anand Narayana Tue, 09/25/2007 - 05:08

sorry it was actually 61.1.1.48 only, it was my mistake while typing in this form.


access-list 101 deny ip host 61.1.1.48 any

access-list 101 permit tcp host 61.1.1.48 host 202.1.1.1 eq 21

access-list 101 permit ip any any

Jon Marshall Tue, 09/25/2007 - 05:11

Hi


You still have the same problem with the order of your acl lines.


The first line denies ip from that 61.1.1.148. IP includes tcp and udp so it will never get to the second line.


Jon

Jon Marshall Tue, 09/25/2007 - 05:19

No you should need udp for ftp.


Could you send updated access-list. Remember that ftp uses more than just one port and you have only allowed one port through. Try adding TCP port 20 as well as TCP port 21 to your acl.


This still may not work - do you know which kind of FTP you are using, active or passive ?


Jon

Anand Narayana Tue, 09/25/2007 - 05:23

i tried with GUI FTP client(Filezilla) which is by default in PASSIVE mode.


so shall i go head with the below ACL?


access-list 101 deny ip host 61.1.1.48 any

access-list 101 permit tcp host 61.1.1.48 host 202.1.1.1 eq 20

access-list 101 permit tcp host 61.1.1.48 host 202.1.1.1 eq 21

access-list 101 permit ip any any


if so, then i will go head in putting this ACL in my router .

Jon Marshall Tue, 09/25/2007 - 05:29

Hi


Try this and let me know result. Note that i have reordered lines.



access-list 101 permit tcp host 61.1.1.48 host 202.1.1.1 eq 20

access-list 101 permit tcp host 61.1.1.48 host 202.1.1.1 eq 21

access-list 101 deny ip host 61.1.1.48 any

access-list 101 permit ip any any


Jon


Anand Narayana Tue, 09/25/2007 - 05:38

k fine will try & let you know ny tomorrow, as the remote end every one has left for the day.

Jon Marshall Tue, 09/25/2007 - 05:47

Okay no problem.


Had a quick check on passive mode. If the access-list you have doesn't work try


access-list 101 permit tcp host 61.1.1.48 host 202.1.1.1 eq 21

access-list 101 permit tcp host 61.1.1.48 host 202.1.1.1 range 1025 65535

access-list 101 deny ip host 61.1.1.48 any

access-list 101 permit ip any any


Jon

Anand Narayana Thu, 09/27/2007 - 03:56

Hi Marshall,

it was extremelly helpfull & it worked out with this command itself, thankz for valuable response.

Actions

This Discussion