Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACL statement not working properly

I am working at a customer site today and have an issue with an FTP transfer. The user initiates an FTP transfer from his server to a public FTP site. He is able to login OK but then cannot list or transfer files.

We have an Access-list on the VLAN that he is a member of. We know that the Access-list is denying the connection attempt as we can see it in the log. It matches the list statement which is 730 "deny ip any any log (748433 matches)" and then we see this is the log "Aug 31 12:04:16.765: %SEC-6-IPACCESSLOGP: list LoSCADA-vlan104 denied tcp 66.112.157.210(20) -> 192.168.104.59(4534), 1 packets"

Here is the statement we have to permit this in the ACL itself:

"221 permit tcp host 66.112.157.210 host 192.168.104.59 eq ftp-data"

Here is the configured statement on the VLAN interface:

"ip access-group LoSCADA-vlan104 out".

I need help to figure out why my ACL statement is not correctly written. When I remove the ACL from the interface, the FTP transfer works.

1 ACCEPTED SOLUTION

Accepted Solutions
Super Bronze

Re: ACL statement not working properly

"denied tcp 66.112.157.210(20) -> 192.168.104.59(4534), "

"221 permit tcp host 66.112.157.210 host 192.168.104.59 eq ftp-data"

Perhaps try:

221 permit tcp host 66.112.157.210 eq ftp-data host 192.168.104.59

7 REPLIES
Hall of Fame Super Bronze

Re: ACL statement not working properly

In your ACL, you have 192.168.104.59 with the server port but your current task is not of a server but of a client.

Your FTP server is initiating the transfer so its function is of a FTP client. FTP client will use a random high port (1024 and above).

HTH,

__

Edison.

Super Bronze

Re: ACL statement not working properly

"denied tcp 66.112.157.210(20) -> 192.168.104.59(4534), "

"221 permit tcp host 66.112.157.210 host 192.168.104.59 eq ftp-data"

Perhaps try:

221 permit tcp host 66.112.157.210 eq ftp-data host 192.168.104.59

Cisco Employee

Re: ACL statement not working properly

Hi,

Could you post the config of the ACL ?

Thanks

Laurent.

Cisco Employee

Re: ACL statement not working properly

Hi,

Could you post the config of the ACL ?

Thanks

Laurent.

New Member

Re: ACL statement not working properly

Yes and thanks for the help.

The ACL is attached.

Cisco Employee

Re: ACL statement not working properly

Hi,

I asked for the ACL just in case but the correct explanation has already been provided by Edison and Joseph.

Laurent.

New Member

Re: ACL statement not working properly

hello

can u try

permit tcp any any established

also what about ftp control port (21)

289
Views
0
Helpful
7
Replies
CreatePlease to create content