Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
361
Views
0
Helpful
4
Replies

Access list help for FTP

whiteford
Level 1
Level 1

‎11-03-2008 12:53 AM - edited ‎03-04-2019 12:09 AM

Hi,

My access list on my Cisco 877 ADSL router seems to be blocking part of the the ftp process.

When connected to this router I can get out to the internet a get web pages etc and if I connect to an ftp server I get the logon and password screen and it authenticate me then times out and shows no folders. If I take the access list off the dialer interface it all workds.

Here are the deny logs I see from the terminal monitor, they are my 3 attempts:

list 101 denied tcp 1.2.3.72(4580) -> 1.2.4.79(1201), 1 packet

list 101 denied tcp 1.2.3.72(4584) -> 1.2.4.79(1205), 1 packet

list 101 denied tcp 1.2.3.72(4563) -> 1.2.4.79(1153), 2 packets

Config:

interface Dialer1

Ip access-group 101 in

access-list 101 permit udp any eq domain any

access-list 101 permit tcp any eq www any

access-list 101 permit tcp any eq 443 any

access-list 101 permit tcp any eq ftp any

access-list 101 permit tcp any eq 5800 any log

access-list 101 permit tcp any eq 5900 any log

access-list 101 permit tcp any eq 8080 any log

access-list 101 permit udp any eq isakmp any

access-list 101 permit udp any eq non500-isakmp any

access-list 101 deny ip any any log

Labels:
0 Helpful
4 Replies 4

tcordier
Level 1
Level 1

‎11-03-2008 01:41 AM

I suggest you add the line

access-list 101 permit tcp any eq ftp-data any

to allow the ftp data flow also. After succesful authentication, the ftp server will send data on port 20 (not 21). If the data flow is not permitted also, you will be unable to browse the folders. See e.g. http://www.slacksite.com/other/ftp.html

HTH, Thomas

0 Helpful

whiteford
Level 1
Level 1
In response to tcordier

‎11-03-2008 03:53 AM

I added that and I got the same deny errors as before.

0 Helpful

tcordier
Level 1
Level 1
In response to whiteford

‎11-03-2008 04:17 AM

Hmmm.. are you using passive ftp?

0 Helpful

tcordier
Level 1
Level 1
In response to whiteford

‎11-03-2008 04:44 AM

Try adding the keyword "established" to your entry in the accesslist entry for ftp. If you are using passive ftp, the access list needs to change to include high ports. See this link for configuration examples: http://www.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_example09186a0080100548.shtml

HTH, Thomas

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card