05-13-2008 10:14 AM - edited 03-05-2019 10:56 PM
Hi, I have a ACL setup on 2851 router. I have some issues with ACL not allowing FTP connections. I have a test PC that is connected to internet outside our internal network and I can connect with passive and active mode with no problem. However I have clients that connect to our FTP and some of them cannot connect they have to change the (active, passive) mode and then it works. I suspect that their firewall is blocking the connection.
Here is part of the ACL. These statement are the first ones in the ACL so there is nothing in front of them to block the connections. Can anyome spot any problems with the statements? Am I missing something? Thanks for the help!!!
access-list 112 permit tcp any host 63.x.x.x eq ftp
access-list 112 permit tcp any eq ftp-data host 63.x.x.x gt 1024
access-list 112 permit tcp any gt 1024 host 63.x.x.x gt 1024
05-13-2008 10:22 AM
You can also allow the ftp-data channel:
access-list 112 permit tcp any host 63.x.x.x eq ftp-data established
05-13-2008 10:49 AM
OK I can try that as well, but wouldn't the line access-list 112 permit tcp any eq ftp-data host 63.104.1.139 gt 1024 accomplish the same?
05-13-2008 11:32 AM
Yes, but depending on how the ACL is applied that statement may be false. The ACL you show above is applied to your public facing interface? Is the ACL applied to inbound or outbound traffic?
05-13-2008 11:45 AM
It is placed to inbound traffic
05-13-2008 11:08 AM
You should be able to more securely control access to that FTP server by using Context-based Access Control (CBAC).
05-13-2008 12:05 PM
I have CBAC applied to my router, however this ACL is to control outside traffic to our inside LAN and I thought that CBAC should be configured to allow established traffic from inside network not outside.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: