Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ftp-firewall

I have a router that I would like to config as a "ftp-firewall" That means I want to allow just ftp-trafic to-and-from a network to a ftp-server(10.1.1.5).

What would that config look like?

I have maybe done something wrong bacause when I take a "dir" or try to download a file from the ftp-server, it all hangs...

2 REPLIES
New Member

Re: ftp-firewall

Hi

You have to define the access list and bind it to proper interface, like this .

Internet---- (ser0)[Router](fast0)--- ftp server

now we define the access list it should be extended access list :

conf t

access-list 100 permit tcp any host 10.1.1.5 eq ftp

access-list 100 permit tcp host 10.1.1.5 any eq ftp

access-list 100 deny ip any any

now we bind it to serial interface inbound.

interface s0

ip access-group 100 in

thats all

Best Regards Bahman Mozaffari.

Gold

Re: ftp-firewall

FTP can either be in passive or active mode. You configure a router differently depending on which mode you are using.

In active mode FTP server initiate data connection

In passive mode FTP the client initiates both connections to the server

Good explination of active & Passive

http://slacksite.com/other/ftp.html

If you are using FTP in passive mode ACL should be following

from CLIENT side

access-list 101 permit tcp any gt 1023 host 10.1.1.5 eq 21

access-list 101 deny ip any any

from SERVER side

access-list 102 permit tcp host 10.1.1.5 eq 21 any gt 1023

access-list 102 permit tcp host 10.1.1.5 gt 1023 any gt 1023

access-list 102 deny ip any any

m.

141
Views
5
Helpful
2
Replies