Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Reflective access lists


I have an FTP server that sits behind a cisco 1801 router.  I have locked the router down with a reflective access list to only allow through port 80 and 443.  But now i want to add in ftp ports 21 and 20.  I have added them in but i cant get it working via ftp.

From the internet i can get a prompt to login to the ftp server but i dont think it has a route back.

If i plug into the LAN and give my laptop an ip address on the same range as the server ( then FTP works fine - so i know the server is ok       is the IP address of FTP server                 is BT external address

could someone take a look at my config please?



Everyone's tags (3)

Reflective access lists

Your config looks fine, when this is attempted from the outside do you see any hits/timers on ACE's for access-list FTPOUTB?

If so, please paste what you see.

Kind Regards,


**Please remember to rate helpful posts as well as mark the question as 'answered' once your issue is resolved. This will help others to find your solution faster.

Kind Regards, Kevin Sheahan, CCIE # 41349
New Member

Reflective access lists

I am getting matches on ftp coming in but nothing going back.  Should FTPOUT be renamed FTPIN2?

rtr#sh access-lists

Extended IP access list d0_in
    100 permit tcp any host eq www log reflect WWWIN2 (12903 matches)
    110 permit tcp any host eq 443 log reflect HTTPS_IN2 (9 matches)
    180 permit tcp any host eq ftp log reflect FTPIN2 (88 matches)

Extended IP access list d0_out
    100 permit tcp host any eq www log reflect WWWOUT (553 matches)
    110 permit tcp host any eq 443 log reflect HTTPSOUT (369 matches)
    120 permit udp host any eq domain log reflect DNSUDP (149 matches)
    80  permit tcp host any eq ftp log reflect FTPOUT
    170 permit tcp host any eq ftp-data log reflect FTPOUTB

New Member

Reflective access lists

More info: if i put in the following my ftp to the outside works.

#ip access-list extended d0_out

  permit tcp host any

But i dont want to open it up to IP.  I want to lock it down to ftp, www and 443 only.  Its just the ftp thats causing me problems.

CreatePlease login to create content