cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
486
Views
0
Helpful
4
Replies

acl on 2851 router

bsudol79p
Level 1
Level 1

Hi have problems with my ACL, I cannot get passive ftp to work. I can log in but I cannot see any folders inside the FTP site. In active mode there is no problem. The interface has static translation for the FTP server. Here is the ACL. Can anyone help? Thanks

access-list 112 permit tcp any host x.x.x.x eq ftp

access-list 112 permit tcp any host x.x.x.x eq ftp-data

access-list 112 permit tcp any eq ftp-data host x.x.x.x gt 1024

1 Accepted Solution

Accepted Solutions

saro
Level 1
Level 1

Your access-list is wrong. Here is the way things work with Active:

control channel

client:>1024 --> server:21

data channel

server:20 --> client:>1024

The active scenerio you have covered...

But passive works like this:

control channel

client:>1024 --> server:21

data channel

client:>1024 --> server:>1024

The data channel is negotiated... no port port 20 (if i remember correctly). To make this work for both active and passive, your acl has to read:

access-list 112 permit tcp any host x.x.x.x eq ftp

access-list 112 remark FOR ACTIVE

access-list 112 permit tcp any eq ftp-data host x.x.x.x gt 1024

access-list 112 remark FOR PASSIVE

access-list 112 permit tcp any gt 1024 host x.x.x.x gt 1024

View solution in original post

4 Replies 4

whisperwind
Level 1
Level 1

do you have the acl applied in the right direction ?

Yes the ACL is applied correctly because the FTP works when it is in active mode, but it doesn't work when it is in the passive mode.

saro
Level 1
Level 1

Your access-list is wrong. Here is the way things work with Active:

control channel

client:>1024 --> server:21

data channel

server:20 --> client:>1024

The active scenerio you have covered...

But passive works like this:

control channel

client:>1024 --> server:21

data channel

client:>1024 --> server:>1024

The data channel is negotiated... no port port 20 (if i remember correctly). To make this work for both active and passive, your acl has to read:

access-list 112 permit tcp any host x.x.x.x eq ftp

access-list 112 remark FOR ACTIVE

access-list 112 permit tcp any eq ftp-data host x.x.x.x gt 1024

access-list 112 remark FOR PASSIVE

access-list 112 permit tcp any gt 1024 host x.x.x.x gt 1024

It works, Thanks for all the help!!!!!!!!!!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: