Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member


I have a router that I would like to config as a "ftp-firewall" That means I want to allow just ftp-trafic to-and-from a network to a ftp-server(

What would that config look like?

I have maybe done something wrong bacause when I take a "dir" or try to download a file from the ftp-server, it all hangs...

New Member

Re: ftp-firewall


You have to define the access list and bind it to proper interface, like this .

Internet---- (ser0)[Router](fast0)--- ftp server

now we define the access list it should be extended access list :

conf t

access-list 100 permit tcp any host eq ftp

access-list 100 permit tcp host any eq ftp

access-list 100 deny ip any any

now we bind it to serial interface inbound.

interface s0

ip access-group 100 in

thats all

Best Regards Bahman Mozaffari.


Re: ftp-firewall

FTP can either be in passive or active mode. You configure a router differently depending on which mode you are using.

In active mode FTP server initiate data connection

In passive mode FTP the client initiates both connections to the server

Good explination of active & Passive

If you are using FTP in passive mode ACL should be following

from CLIENT side

access-list 101 permit tcp any gt 1023 host eq 21

access-list 101 deny ip any any

from SERVER side

access-list 102 permit tcp host eq 21 any gt 1023

access-list 102 permit tcp host gt 1023 any gt 1023

access-list 102 deny ip any any