ACL statement not working properly

Answered Question
Aug 31st, 2009

I am working at a customer site today and have an issue with an FTP transfer. The user initiates an FTP transfer from his server to a public FTP site. He is able to login OK but then cannot list or transfer files.

We have an Access-list on the VLAN that he is a member of. We know that the Access-list is denying the connection attempt as we can see it in the log. It matches the list statement which is 730 "deny ip any any log (748433 matches)" and then we see this is the log "Aug 31 12:04:16.765: %SEC-6-IPACCESSLOGP: list LoSCADA-vlan104 denied tcp ->, 1 packets"

Here is the statement we have to permit this in the ACL itself:

"221 permit tcp host host eq ftp-data"

Here is the configured statement on the VLAN interface:

"ip access-group LoSCADA-vlan104 out".

I need help to figure out why my ACL statement is not correctly written. When I remove the ACL from the interface, the FTP transfer works.

I have this problem too.
0 votes
Correct Answer by Joseph W. Doherty about 7 years 1 month ago

"denied tcp ->, "

"221 permit tcp host host eq ftp-data"

Perhaps try:

221 permit tcp host eq ftp-data host

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Edison Ortiz Mon, 08/31/2009 - 08:52

In your ACL, you have with the server port but your current task is not of a server but of a client.

Your FTP server is initiating the transfer so its function is of a FTP client. FTP client will use a random high port (1024 and above).




Correct Answer
Joseph W. Doherty Mon, 08/31/2009 - 08:53

"denied tcp ->, "

"221 permit tcp host host eq ftp-data"

Perhaps try:

221 permit tcp host eq ftp-data host

Laurent Aubert Mon, 08/31/2009 - 14:00


I asked for the ACL just in case but the correct explanation has already been provided by Edison and Joseph.


ozzyosbu1 Mon, 08/31/2009 - 22:27


can u try

permit tcp any any established

also what about ftp control port (21)


This Discussion