Extended ACL and FTP

Answered Question
May 7th, 2009
User Badges:

We have adjusted our ACL and removed permitting tcp any any gt 1023 and replaced it with the any any established command but this broke ftp. The ACL is applied out on the ethernet interface into the local network. How do I securely add FTP?


permit tcp any any established

???

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jon Marshall Thu, 05/07/2009 - 12:08
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Tory


Do you know whether it is active or passive FTP. If active then the FTP server makes a new connection back to the client which would be allowed by tcp any any gt 1023 but not by any any established.


Is the device you have the acl on a router or firewall ?


Jon

Correct Answer

Maybe this link should help.


http://www.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_example09186a0080100548.shtml


Also what we do is define a range of ports for passive ftp. For example 6000 to 6100.


So instead you use

access-list 100 permit tcp any host 192.168.1.100 gt 1023


You should use


access-list 100 permit tcp any host 192.168.1.100 range 6000 6100


But, in my opinion, from the server's view, active FTP is more secure than passive.


Hope this helps


Actions

This Discussion