Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

FTP and access lists

Hello ,i have the following problem. I want to enable my internal lan users to have access to ftp servers on the internet. I have created a set of access lists

access-list 100 permit tcp any any eq ftp

access-list 100 permit tcp any any eq ftp-data

and my users can connect to ftp login BUT when the list command is issued the connection fails. I have logged my access list output

SEC-6-IPACCESSLOGP list 100 denied tcp 192.168.100.11(50493) -> 147.102.222.211(26884),/>1 packet

and i can see tha ftp automatically changes the port. How can i make it work?? I have an idea to enable traffic inspection but can i do that on a Catalyst 4507 R-E with supervisor engine V and enterprise services 12.2 IOS??? I have tried to create a class map but on the match statements ftp or port statement is missing. Is  that an IOS issue??

Anything i can do to solve the issue is very welcome.

Thanks a lot for your help.

  • LAN Switching and Routing
Everyone's tags (6)
2 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

Re: FTP and access lists

Hi,


this issue is very likely caused by passive FTP.


When active FTP is used, the clients connect to port 20 and 21 of the FTP server.

With passive FTP, the data connection will be made between 2 ports > 1023 .


Basically, with an ACL, the only way to get around this would be by allowing :

permit tcp any any range 1023 65535

As you will understand, this will allow any TCP connection on ports > 1023.

On the Catalyst 4507 R-E, I do not believe there is a way to specifically allow passive FTP and block other traffic.

HTH,

Bert

Re: FTP and access lists

Hello ,i have the following problem. I want to enable my internal lan users to have access to ftp servers on the internet. I have created a set of access lists

access-list 100 permit tcp any any eq ftp

access-list 100 permit tcp any any eq ftp-data

and my users can connect to ftp login BUT when the list command is issued the connection fails. I have logged my access list output

SEC-6-IPACCESSLOGP list 100 denied tcp 192.168.100.11(50493) -> 147.102.222.211(26884),/>1 packet

and i can see tha ftp automatically changes the port. How can i make it work?? I have an idea to enable traffic inspection but can i do that on a Catalyst 4507 R-E with supervisor engine V and enterprise services 12.2 IOS??? I have tried to create a class map but on the match statements ftp or port statement is missing. Is  that an IOS issue??

Anything i can do to solve the issue is very welcome.

Thanks a lot for your help


Hi,

As per the logs it seems that ftp negoiation is taking greater than 1023 ports after authentication,try with the below acl

access-list 102 permit tcp any any eq 21
access-list 102 permit tcp any eq ftp-data any gt 1023

Hope to Help !!

Ganesh.H

Remember to rate the helpful post

As Bert as already stated the reason i was late with my reply ...that why it was duplicated ..5 points to Bert !!

2 REPLIES
Cisco Employee

Re: FTP and access lists

Hi,


this issue is very likely caused by passive FTP.


When active FTP is used, the clients connect to port 20 and 21 of the FTP server.

With passive FTP, the data connection will be made between 2 ports > 1023 .


Basically, with an ACL, the only way to get around this would be by allowing :

permit tcp any any range 1023 65535

As you will understand, this will allow any TCP connection on ports > 1023.

On the Catalyst 4507 R-E, I do not believe there is a way to specifically allow passive FTP and block other traffic.

HTH,

Bert

Re: FTP and access lists

Hello ,i have the following problem. I want to enable my internal lan users to have access to ftp servers on the internet. I have created a set of access lists

access-list 100 permit tcp any any eq ftp

access-list 100 permit tcp any any eq ftp-data

and my users can connect to ftp login BUT when the list command is issued the connection fails. I have logged my access list output

SEC-6-IPACCESSLOGP list 100 denied tcp 192.168.100.11(50493) -> 147.102.222.211(26884),/>1 packet

and i can see tha ftp automatically changes the port. How can i make it work?? I have an idea to enable traffic inspection but can i do that on a Catalyst 4507 R-E with supervisor engine V and enterprise services 12.2 IOS??? I have tried to create a class map but on the match statements ftp or port statement is missing. Is  that an IOS issue??

Anything i can do to solve the issue is very welcome.

Thanks a lot for your help


Hi,

As per the logs it seems that ftp negoiation is taking greater than 1023 ports after authentication,try with the below acl

access-list 102 permit tcp any any eq 21
access-list 102 permit tcp any eq ftp-data any gt 1023

Hope to Help !!

Ganesh.H

Remember to rate the helpful post

As Bert as already stated the reason i was late with my reply ...that why it was duplicated ..5 points to Bert !!

1917
Views
10
Helpful
2
Replies
This widget could not be displayed.