Extended ACL and FTP

Answered Question
May 7th, 2009
User Badges:

We have adjusted our ACL and removed permitting tcp any any gt 1023 and replaced it with the any any established command but this broke ftp. The ACL is applied out on the ethernet interface into the local network. How do I securely add FTP?

permit tcp any any established


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Jon Marshall Thu, 05/07/2009 - 12:08
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN


Do you know whether it is active or passive FTP. If active then the FTP server makes a new connection back to the client which would be allowed by tcp any any gt 1023 but not by any any established.

Is the device you have the acl on a router or firewall ?


Correct Answer

Maybe this link should help.


Also what we do is define a range of ports for passive ftp. For example 6000 to 6100.

So instead you use

access-list 100 permit tcp any host gt 1023

You should use

access-list 100 permit tcp any host range 6000 6100

But, in my opinion, from the server's view, active FTP is more secure than passive.

Hope this helps


This Discussion