Access list help for FTP

Unanswered Question
Nov 3rd, 2008
User Badges:

Hi,


My access list on my Cisco 877 ADSL router seems to be blocking part of the the ftp process.


When connected to this router I can get out to the internet a get web pages etc and if I connect to an ftp server I get the logon and password screen and it authenticate me then times out and shows no folders. If I take the access list off the dialer interface it all workds.


Here are the deny logs I see from the terminal monitor, they are my 3 attempts:


list 101 denied tcp 1.2.3.72(4580) -> 1.2.4.79(1201), 1 packet


list 101 denied tcp 1.2.3.72(4584) -> 1.2.4.79(1205), 1 packet


list 101 denied tcp 1.2.3.72(4563) -> 1.2.4.79(1153), 2 packets


Config:


interface Dialer1

Ip access-group 101 in


access-list 101 permit udp any eq domain any

access-list 101 permit tcp any eq www any

access-list 101 permit tcp any eq 443 any

access-list 101 permit tcp any eq ftp any

access-list 101 permit tcp any eq 5800 any log

access-list 101 permit tcp any eq 5900 any log

access-list 101 permit tcp any eq 8080 any log

access-list 101 permit udp any eq isakmp any

access-list 101 permit udp any eq non500-isakmp any

access-list 101 deny ip any any log



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
tcordier Mon, 11/03/2008 - 01:41
User Badges:
  • Bronze, 100 points or more

I suggest you add the line


access-list 101 permit tcp any eq ftp-data any


to allow the ftp data flow also. After succesful authentication, the ftp server will send data on port 20 (not 21). If the data flow is not permitted also, you will be unable to browse the folders. See e.g. http://www.slacksite.com/other/ftp.html


HTH, Thomas

whiteford Mon, 11/03/2008 - 03:53
User Badges:

I added that and I got the same deny errors as before.

tcordier Mon, 11/03/2008 - 04:17
User Badges:
  • Bronze, 100 points or more

Hmmm.. are you using passive ftp?

Actions

This Discussion