ACL for FTP

bsudol79p · ‎05-13-2008

Hi, I have a ACL setup on 2851 router. I have some issues with ACL not allowing FTP connections. I have a test PC that is connected to internet outside our internal network and I can connect with passive and active mode with no problem. However I have clients that connect to our FTP and some of them cannot connect they have to change the (active, passive) mode and then it works. I suspect that their firewall is blocking the connection.

Here is part of the ACL. These statement are the first ones in the ACL so there is nothing in front of them to block the connections. Can anyome spot any problems with the statements? Am I missing something? Thanks for the help!!!

access-list 112 permit tcp any host 63.x.x.x eq ftp

access-list 112 permit tcp any eq ftp-data host 63.x.x.x gt 1024

access-list 112 permit tcp any gt 1024 host 63.x.x.x gt 1024

noran01 · ‎05-13-2008

You can also allow the ftp-data channel:

access-list 112 permit tcp any host 63.x.x.x eq ftp-data established

bsudol79p · ‎05-13-2008

OK I can try that as well, but wouldn't the line access-list 112 permit tcp any eq ftp-data host 63.104.1.139 gt 1024 accomplish the same?

noran01 · ‎05-13-2008

Yes, but depending on how the ACL is applied that statement may be false. The ACL you show above is applied to your public facing interface? Is the ACL applied to inbound or outbound traffic?

bsudol79p · ‎05-13-2008

It is placed to inbound traffic

jcoke · ‎05-13-2008

You should be able to more securely control access to that FTP server by using Context-based Access Control (CBAC).

http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_cfg_content_ac_ps6441_TSD_Products_Configuration_Guide_Chapter.html

bsudol79p · ‎05-13-2008

I have CBAC applied to my router, however this ACL is to control outside traffic to our inside LAN and I thought that CBAC should be configured to allow established traffic from inside network not outside.