Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

acl on 2851 router

Hi have problems with my ACL, I cannot get passive ftp to work. I can log in but I cannot see any folders inside the FTP site. In active mode there is no problem. The interface has static translation for the FTP server. Here is the ACL. Can anyone help? Thanks

access-list 112 permit tcp any host x.x.x.x eq ftp

access-list 112 permit tcp any host x.x.x.x eq ftp-data

access-list 112 permit tcp any eq ftp-data host x.x.x.x gt 1024

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: acl on 2851 router

Your access-list is wrong. Here is the way things work with Active:

control channel

client:>1024 --> server:21

data channel

server:20 --> client:>1024

The active scenerio you have covered...

But passive works like this:

control channel

client:>1024 --> server:21

data channel

client:>1024 --> server:>1024

The data channel is negotiated... no port port 20 (if i remember correctly). To make this work for both active and passive, your acl has to read:

access-list 112 permit tcp any host x.x.x.x eq ftp

access-list 112 remark FOR ACTIVE

access-list 112 permit tcp any eq ftp-data host x.x.x.x gt 1024

access-list 112 remark FOR PASSIVE

access-list 112 permit tcp any gt 1024 host x.x.x.x gt 1024

4 REPLIES
New Member

Re: acl on 2851 router

do you have the acl applied in the right direction ?

New Member

Re: acl on 2851 router

Yes the ACL is applied correctly because the FTP works when it is in active mode, but it doesn't work when it is in the passive mode.

New Member

Re: acl on 2851 router

Your access-list is wrong. Here is the way things work with Active:

control channel

client:>1024 --> server:21

data channel

server:20 --> client:>1024

The active scenerio you have covered...

But passive works like this:

control channel

client:>1024 --> server:21

data channel

client:>1024 --> server:>1024

The data channel is negotiated... no port port 20 (if i remember correctly). To make this work for both active and passive, your acl has to read:

access-list 112 permit tcp any host x.x.x.x eq ftp

access-list 112 remark FOR ACTIVE

access-list 112 permit tcp any eq ftp-data host x.x.x.x gt 1024

access-list 112 remark FOR PASSIVE

access-list 112 permit tcp any gt 1024 host x.x.x.x gt 1024

New Member

Re: acl on 2851 router

It works, Thanks for all the help!!!!!!!!!!

188
Views
0
Helpful
4
Replies