Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6665
Views
12
Helpful
2
Replies

FTP and access lists

Go to solution
tkatsiaounis
Level 1
Level 1

‎11-05-2010 05:19 AM - edited ‎03-06-2019 01:54 PM

Hello ,i have the following problem. I want to enable my internal lan users to have access to ftp servers on the internet. I have created a set of access lists

access-list 100 permit tcp any any eq ftp

access-list 100 permit tcp any any eq ftp-data

and my users can connect to ftp login BUT when the list command is issued the connection fails. I have logged my access list output

SEC-6-IPACCESSLOGP list 100 denied tcp 192.168.100.11(50493) -> 147.102.222.211(26884),/>1 packet

and i can see tha ftp automatically changes the port. How can i make it work?? I have an idea to enable traffic inspection but can i do that on a Catalyst 4507 R-E with supervisor engine V and enterprise services 12.2 IOS??? I have tried to create a class map but on the match statements ftp or port statement is missing. Is  that an IOS issue??

Anything i can do to solve the issue is very welcome.

Thanks a lot for your help.

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Bert Gevers
Cisco Employee
Cisco Employee

‎11-05-2010 05:34 AM

Hi,


this issue is very likely caused by passive FTP.


When active FTP is used, the clients connect to port 20 and 21 of the FTP server.

With passive FTP, the data connection will be made between 2 ports > 1023 .


Basically, with an ACL, the only way to get around this would be by allowing :

permit tcp any any range 1023 65535

As you will understand, this will allow any TCP connection on ports > 1023.

On the Catalyst 4507 R-E, I do not believe there is a way to specifically allow passive FTP and block other traffic.

HTH,

Bert

View solution in original post

Go to solution
Ganesh Hariharan
VIP Alumni
VIP Alumni

‎11-05-2010 06:32 AM 

Hello ,i have the following problem. I want to enable my internal lan users to have access to ftp servers on the internet. I have created a set of access lists
access-list 100 permit tcp any any eq ftp
access-list 100 permit tcp any any eq ftp-data
and my users can connect to ftp login BUT when the list command is issued the connection fails. I have logged my access list output
SEC-6-IPACCESSLOGP list 100 denied tcp 192.168.100.11(50493) -> 147.102.222.211(26884),/>1 packet
and i can see tha ftp automatically changes the port. How can i make it work?? I have an idea to enable traffic inspection but can i do that on a Catalyst 4507 R-E with supervisor engine V and enterprise services 12.2 IOS??? I have tried to create a class map but on the match statements ftp or port statement is missing. Is  that an IOS issue??
Anything i can do to solve the issue is very welcome.
Thanks a lot for your help


Hi,

As per the logs it seems that ftp negoiation is taking greater than 1023 ports after authentication,try with the below acl

access-list 102 permit tcp any any eq 21
access-list 102 permit tcp any eq ftp-data any gt 1023

Hope to Help !!

Ganesh.H

Remember to rate the helpful post

As Bert as already stated the reason i was late with my reply ...that why it was duplicated ..5 points to Bert !!

View solution in original post

2 Replies 2

Go to solution
Bert Gevers
Cisco Employee
Cisco Employee

‎11-05-2010 05:34 AM

Hi,


this issue is very likely caused by passive FTP.


When active FTP is used, the clients connect to port 20 and 21 of the FTP server.

With passive FTP, the data connection will be made between 2 ports > 1023 .


Basically, with an ACL, the only way to get around this would be by allowing :

permit tcp any any range 1023 65535

As you will understand, this will allow any TCP connection on ports > 1023.

On the Catalyst 4507 R-E, I do not believe there is a way to specifically allow passive FTP and block other traffic.

HTH,

Bert

Go to solution
Ganesh Hariharan
VIP Alumni
VIP Alumni

‎11-05-2010 06:32 AM 

Hello ,i have the following problem. I want to enable my internal lan users to have access to ftp servers on the internet. I have created a set of access lists
access-list 100 permit tcp any any eq ftp
access-list 100 permit tcp any any eq ftp-data
and my users can connect to ftp login BUT when the list command is issued the connection fails. I have logged my access list output
SEC-6-IPACCESSLOGP list 100 denied tcp 192.168.100.11(50493) -> 147.102.222.211(26884),/>1 packet
and i can see tha ftp automatically changes the port. How can i make it work?? I have an idea to enable traffic inspection but can i do that on a Catalyst 4507 R-E with supervisor engine V and enterprise services 12.2 IOS??? I have tried to create a class map but on the match statements ftp or port statement is missing. Is  that an IOS issue??
Anything i can do to solve the issue is very welcome.
Thanks a lot for your help


Hi,

As per the logs it seems that ftp negoiation is taking greater than 1023 ports after authentication,try with the below acl

access-list 102 permit tcp any any eq 21
access-list 102 permit tcp any eq ftp-data any gt 1023

Hope to Help !!

Ganesh.H

Remember to rate the helpful post

As Bert as already stated the reason i was late with my reply ...that why it was duplicated ..5 points to Bert !!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card