Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

FTP ACL on Router

Hello,

I'm trying to set up a simple ACL on a router to allow only certain external IP addresses to access our internal FTP server but it doesn't seem to allow any connections. When I take the ACL off, then FTP connections are allowed without any problems. I don't know what I'm missing. I added every possible "permit any any eq ftp" I could think of. Thanks for any help.

access-list 121 permit tcp any any established

access-list 121 permit tcp host x.x.x.x host 192.168.0.5 eq ftp

access-list 121 permit tcp host x.x.x.x host 192.168.0.5 eq ftp

access-list 121 permit tcp host x.x.x.x host 192.168.0.5 eq ftp

access-list 121 permit tcp host x.x.x.x host 192.168.0.5 eq ftp

access-list 121 permit tcp host x.x.x.x host 192.168.0.5 eq ftp

access-list 121 permit tcp host x.x.x.x host 192.168.0.5 eq ftp

access-list 121 permit tcp host x.x.x.x host 192.168.0.5 eq ftp

access-list 121 permit tcp host x.x.x.x host 192.168.0.5 eq ftp

access-list 121 permit tcp host x.x.x.x host 192.168.0.5 eq ftp

access-list 121 permit tcp host x.x.x.x host 192.168.0.5 eq ftp

access-list 121 permit tcp host x.x.x.x host 192.168.0.5 eq ftp

access-list 121 permit tcp host x.x.x.x host 192.168.0.5 eq ftp

access-list 121 permit tcp host x.x.x.x host 192.168.0.5 eq ftp

access-list 121 deny tcp any any eq ftp

access-list 121 deny tcp any any eq ftp-data

access-list 121 deny tcp any any eq ftp-data established

access-list 121 permit udp any any eq isakmp

access-list 121 permit udp any any eq non500-isakmp

access-list 121 permit udp any any eq 10000

access-list 121 permit tcp any any eq 1723

access-list 121 permit ahp any any

access-list 121 permit esp any any

access-list 121 permit gre any any

access-list 121 permit icmp any any echo

access-list 121 permit icmp any any echo-reply

access-list 121 permit tcp any any eq www

access-list 121 permit tcp any any eq 443

access-list 121 permit tcp any any eq smtp

access-list 121 permit tcp any any eq domain

access-list 121 permit udp any any eq domain

access-list 121 permit tcp any host 192.168.0.5 gt 1024

access-list 121 permit tcp any any gt 1024

access-list 121 permit udp any any

5 REPLIES

Re: FTP ACL on Router

Hi,

FTP sometimes is unpredictable and so depending of the type of access (pasive, active) you will need to specifically allow the port being used for data transfer. I suggest you to identify what that port or port range is by consulting your FTP client documentation and also consult your FTP server set up. A firewall will know how to handle that but in a router you might need to add a second entry allowing the ftp-data port as well.

I hope it helps .. please rate if it does !!

Re: FTP ACL on Router

It sounds like the client might be doing Passive FTP. Try adding this line before the deny statements.

access-list 121 permit tcp host x.x.x.x host 192.168.0.5 gt 1024

HTH

Sundar

New Member

Re: FTP ACL on Router

We are using IIS 6.0 for FTP. My ACL already does have both ftp and ftp-data permit statements. I'm not sure what else to try.

New Member

Re: FTP ACL on Router

When I do a "sh access-list 121", this is what I get back. So, the "deny any any eq ftp" statement is still blocking access to our FTP server even know I have permit statements before the deny statements. I don't understand.

380 permit tcp host x.x.x.x host 192.168.0.5 eq ftp

390 permit tcp host x.x.x.x host 192.168.0.5 eq ftp-data

400 permit tcp host x.x.x.x host 192.168.0.5 eq ftp-data established

410 permit tcp any any gt 1024

420 deny tcp any any eq ftp (18 matches)

430 deny tcp any any eq ftp-data

440 deny tcp any any eq ftp-data established

New Member

Re: FTP ACL on Router

Is this Router CBAC enabled? have you checked for FTP inspect traffic?

199
Views
0
Helpful
5
Replies
CreatePlease to create content