Access list help for FTP

Unanswered Question
Nov 3rd, 2008

Hi,

My access list on my Cisco 877 ADSL router seems to be blocking part of the the ftp process.

When connected to this router I can get out to the internet a get web pages etc and if I connect to an ftp server I get the logon and password screen and it authenticate me then times out and shows no folders. If I take the access list off the dialer interface it all workds.

Here are the deny logs I see from the terminal monitor, they are my 3 attempts:

list 101 denied tcp 1.2.3.72(4580) -> 1.2.4.79(1201), 1 packet

list 101 denied tcp 1.2.3.72(4584) -> 1.2.4.79(1205), 1 packet

list 101 denied tcp 1.2.3.72(4563) -> 1.2.4.79(1153), 2 packets

Config:

interface Dialer1

Ip access-group 101 in

access-list 101 permit udp any eq domain any

access-list 101 permit tcp any eq www any

access-list 101 permit tcp any eq 443 any

access-list 101 permit tcp any eq ftp any

access-list 101 permit tcp any eq 5800 any log

access-list 101 permit tcp any eq 5900 any log

access-list 101 permit tcp any eq 8080 any log

access-list 101 permit udp any eq isakmp any

access-list 101 permit udp any eq non500-isakmp any

access-list 101 deny ip any any log

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
tcordier Mon, 11/03/2008 - 01:41

I suggest you add the line

access-list 101 permit tcp any eq ftp-data any

to allow the ftp data flow also. After succesful authentication, the ftp server will send data on port 20 (not 21). If the data flow is not permitted also, you will be unable to browse the folders. See e.g. http://www.slacksite.com/other/ftp.html

HTH, Thomas

Actions

This Discussion