Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
556
Views
0
Helpful
7
Replies

ACL statement not working properly

Go to solution
Kevin Melton
Level 2
Level 2

‎08-31-2009 08:27 AM - edited ‎03-06-2019 07:31 AM

I am working at a customer site today and have an issue with an FTP transfer. The user initiates an FTP transfer from his server to a public FTP site. He is able to login OK but then cannot list or transfer files.

We have an Access-list on the VLAN that he is a member of. We know that the Access-list is denying the connection attempt as we can see it in the log. It matches the list statement which is 730 "deny ip any any log (748433 matches)" and then we see this is the log "Aug 31 12:04:16.765: %SEC-6-IPACCESSLOGP: list LoSCADA-vlan104 denied tcp 66.112.157.210(20) -> 192.168.104.59(4534), 1 packets"

Here is the statement we have to permit this in the ACL itself:

"221 permit tcp host 66.112.157.210 host 192.168.104.59 eq ftp-data"

Here is the configured statement on the VLAN interface:

"ip access-group LoSCADA-vlan104 out".

I need help to figure out why my ACL statement is not correctly written. When I remove the ACL from the interface, the FTP transfer works.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame

‎08-31-2009 08:53 AM

"denied tcp 66.112.157.210(20) -> 192.168.104.59(4534), "

"221 permit tcp host 66.112.157.210 host 192.168.104.59 eq ftp-data"

Perhaps try:

221 permit tcp host 66.112.157.210 eq ftp-data host 192.168.104.59

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Edison Ortiz
Hall of Fame
Hall of Fame

‎08-31-2009 08:52 AM

In your ACL, you have 192.168.104.59 with the server port but your current task is not of a server but of a client.

Your FTP server is initiating the transfer so its function is of a FTP client. FTP client will use a random high port (1024 and above).

HTH,

__

Edison.

0 Helpful

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame

‎08-31-2009 08:53 AM

"denied tcp 66.112.157.210(20) -> 192.168.104.59(4534), "

"221 permit tcp host 66.112.157.210 host 192.168.104.59 eq ftp-data"

Perhaps try:

221 permit tcp host 66.112.157.210 eq ftp-data host 192.168.104.59

0 Helpful

Go to solution
Laurent Aubert
Cisco Employee
Cisco Employee

‎08-31-2009 09:02 AM

Hi,

Could you post the config of the ACL ?

Thanks

Laurent.

0 Helpful

Go to solution
Laurent Aubert
Cisco Employee
Cisco Employee

‎08-31-2009 09:06 AM

Hi,

Could you post the config of the ACL ?

Thanks

Laurent.

0 Helpful

Go to solution
Kevin Melton
Level 2
Level 2
In response to Laurent Aubert

‎08-31-2009 10:13 AM

Yes and thanks for the help.

The ACL is attached.

Preview file
6 KB
0 Helpful

Go to solution
Laurent Aubert
Cisco Employee
Cisco Employee
In response to Kevin Melton

‎08-31-2009 02:00 PM

Hi,

I asked for the ACL just in case but the correct explanation has already been provided by Edison and Joseph.

Laurent.

0 Helpful

Go to solution
ozzyosbu1
Level 1
Level 1
In response to Laurent Aubert

‎08-31-2009 10:27 PM

hello

can u try

permit tcp any any established

also what about ftp control port (21)

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card