10-12-2007 12:10 PM - edited 03-11-2019 04:24 AM
Hi have problems with my ACL, I cannot get passive ftp to work. I can log in but I cannot see any folders inside the FTP site. In active mode there is no problem. The interface has static translation for the FTP server. Here is the ACL. Can anyone help? Thanks
access-list 112 permit tcp any host x.x.x.x eq ftp
access-list 112 permit tcp any host x.x.x.x eq ftp-data
access-list 112 permit tcp any eq ftp-data host x.x.x.x gt 1024
Solved! Go to Solution.
10-12-2007 02:56 PM
Your access-list is wrong. Here is the way things work with Active:
control channel
client:>1024 --> server:21
data channel
server:20 --> client:>1024
The active scenerio you have covered...
But passive works like this:
control channel
client:>1024 --> server:21
data channel
client:>1024 --> server:>1024
The data channel is negotiated... no port port 20 (if i remember correctly). To make this work for both active and passive, your acl has to read:
access-list 112 permit tcp any host x.x.x.x eq ftp
access-list 112 remark FOR ACTIVE
access-list 112 permit tcp any eq ftp-data host x.x.x.x gt 1024
access-list 112 remark FOR PASSIVE
access-list 112 permit tcp any gt 1024 host x.x.x.x gt 1024
10-12-2007 12:41 PM
do you have the acl applied in the right direction ?
10-12-2007 01:17 PM
Yes the ACL is applied correctly because the FTP works when it is in active mode, but it doesn't work when it is in the passive mode.
10-12-2007 02:56 PM
Your access-list is wrong. Here is the way things work with Active:
control channel
client:>1024 --> server:21
data channel
server:20 --> client:>1024
The active scenerio you have covered...
But passive works like this:
control channel
client:>1024 --> server:21
data channel
client:>1024 --> server:>1024
The data channel is negotiated... no port port 20 (if i remember correctly). To make this work for both active and passive, your acl has to read:
access-list 112 permit tcp any host x.x.x.x eq ftp
access-list 112 remark FOR ACTIVE
access-list 112 permit tcp any eq ftp-data host x.x.x.x gt 1024
access-list 112 remark FOR PASSIVE
access-list 112 permit tcp any gt 1024 host x.x.x.x gt 1024
10-15-2007 07:30 AM
It works, Thanks for all the help!!!!!!!!!!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide