acl on 2851 router

Answered Question
Oct 12th, 2007
User Badges:

Hi have problems with my ACL, I cannot get passive ftp to work. I can log in but I cannot see any folders inside the FTP site. In active mode there is no problem. The interface has static translation for the FTP server. Here is the ACL. Can anyone help? Thanks


access-list 112 permit tcp any host x.x.x.x eq ftp

access-list 112 permit tcp any host x.x.x.x eq ftp-data

access-list 112 permit tcp any eq ftp-data host x.x.x.x gt 1024




Correct Answer by saro about 9 years 6 months ago

Your access-list is wrong. Here is the way things work with Active:

control channel

client:>1024 --> server:21

data channel

server:20 --> client:>1024


The active scenerio you have covered...


But passive works like this:

control channel

client:>1024 --> server:21

data channel

client:>1024 --> server:>1024


The data channel is negotiated... no port port 20 (if i remember correctly). To make this work for both active and passive, your acl has to read:


access-list 112 permit tcp any host x.x.x.x eq ftp

access-list 112 remark FOR ACTIVE

access-list 112 permit tcp any eq ftp-data host x.x.x.x gt 1024

access-list 112 remark FOR PASSIVE

access-list 112 permit tcp any gt 1024 host x.x.x.x gt 1024



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
bsudol79p Fri, 10/12/2007 - 13:17
User Badges:

Yes the ACL is applied correctly because the FTP works when it is in active mode, but it doesn't work when it is in the passive mode.

Correct Answer
saro Fri, 10/12/2007 - 14:56
User Badges:

Your access-list is wrong. Here is the way things work with Active:

control channel

client:>1024 --> server:21

data channel

server:20 --> client:>1024


The active scenerio you have covered...


But passive works like this:

control channel

client:>1024 --> server:21

data channel

client:>1024 --> server:>1024


The data channel is negotiated... no port port 20 (if i remember correctly). To make this work for both active and passive, your acl has to read:


access-list 112 permit tcp any host x.x.x.x eq ftp

access-list 112 remark FOR ACTIVE

access-list 112 permit tcp any eq ftp-data host x.x.x.x gt 1024

access-list 112 remark FOR PASSIVE

access-list 112 permit tcp any gt 1024 host x.x.x.x gt 1024



Actions

This Discussion