ACL configuration

Unanswered Question
Feb 29th, 2012
User Badges:

Hi all,


I want to set ACL for both FTP servers so that both can act as FTP servers, can I set below ACL to acheive it ?


Below is the network topology


FTP server A (192.168.0.1)-->RouterA ---Wan link ----Router B ----FTP server B (192.168.1.1)


Router A ACL

permit tcp host 192.168.0.1 host 192.168.1.1 range 20 21

ip access-group LAN in


Router B ACL

permit tcp host 192.168.1.1 host 192.168.0.1 range 20 21

ip access-group LAN in

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
hobbe Mon, 03/05/2012 - 06:55
User Badges:
  • Gold, 750 points or more

Hi

First of all if possible do not use FTP, it is unsafe and a stupid protocol anyway you look at it.

Go with something like SFTP instead, that will make your life less vulnerable and configuration much easier.


Why not ftp ?

well first of all anyone on the way out can sniff your username and password since it is in cleartext. FTP is directly firewall hostile. and you do not know your data will be sent from A to B without information changing.

If possible do not use the standard SFTP port.

FTP needs to be looked at from the firewalls and routers with access-lists point of view, It needs some form of deep packet inspection or ALG to know what to open and how.


So do yourself a favour and use something different than FTP.

If nothing else it will make your configuration much easier. (no FTPS is not the answer)


If you need a reply ACL or not is entierly up to how you have setup your routers before.


Good luck


HTH

Jeff Van Houten Tue, 03/06/2012 - 20:38
User Badges:
  • Silver, 250 points or more

You need to look up the difference between active and passive FTP. That will make understanding your acl needs much clearer.


Sent from Cisco Technical Support iPad App

mikeburr1234 Wed, 04/11/2012 - 19:40
User Badges:

This is fine, but you also need the


no ip ftp passive


global configuration command on the client router. Overall I agree with the other suggestions that FTP is not the best protocol to use, something like SCP, SFTP, or enabling IPSec for the particular FTP traffic would be preferable.


Actions

This Discussion