Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

How to configure ACL to permit FTP traffic

Resolution

To successfully establish an FTP session, the active FTP mode of operation uses control port 21 and the data port of 20.

FTP session failures are due to permitting control port 21 through the Access Control List (ACL) and denying the data port, or denying control port 21 through the ACL, and permitting the data port.

When configuring to permit an FTP connection as well as FTP traffic, use the following ACLs:

access-list 101 permit tcp any any eq 21  
!--- The above line permits TCP traffic from any source, such as the FTP client,
      to any 
!--- FTP server destination at the FTP control port 21.


access-list 101 permit tcp any eq 20 any
!--- The above line permits TCP traffic from any source, such as the FTP server,
     to any
!--- FTP client at FTP data port 20.

When configuring to deny FTP traffic, deny the FTP control traffic at port 21. Since the FTP control traffic cannot reach the FTP server, you do not need to deny the FTP data connection at port 20. This is because the FTP data connection at port 20 never initiates.

To deny FTP traffic, use the following configuration:

access-list 101 deny tcp any any eq 21

For information on active and passive FTP sessions, refer to One Byte at a Time: Is Your FTP Active or Passive?.

Version history
Revision #:
1 of 1
Last update:
‎06-18-2009 03:56 PM
Updated by:
 
Labels (1)
Everyone's tags (3)