Access control list for ftp

eap · ‎02-05-2004

We are trying to set up an ACL on an ISDN connection between 2 sites for ftp data transfer only and only between specific machines. So far we have the following on the remote side and we can send files to them fine, but receive errors when trying to receive files.

access-list 101 permit tcp any any established log

access-list 101 permit udp any eq rip any log

access-list 101 permit tcp 155.84.x.x 0.0.x.x host 198.215.x.x eq ftp log

access-list 101 permit tcp host 155.84.x.x host 198.215.x.x eq ftp log

access-list 101 permit tcp host 155.84.x.x host 155.84.x.x eq telnet log

access-list 101 deny ip any any log

We have applied this on the dialer int as follows:

interface Dialer1

ip address 155.84.x.x 255.255.x.x

ip access-group 101 in

Since we are only worried about incoming traffic on the remote side, why would it effect what leaves the router when we are trying to receive files? Any ideas would be appreciated.

Paula

rais · ‎02-05-2004

Apparently, your FTP is in active mode. This will require you to let 'ftp-data', port # 20, in as well.

Alternatively, you can change your FTP mode to passive.

Thanks.

eap · ‎02-05-2004

Thank you. I was just considering that as well. However, the ip address (ftp server) that we need to receive files from, we did not include in our access list because the acl is only applied to inbound traffic. We only included the ftp server that we push files to which is a different ip. Do we need to include the other? Or do we need an outbound acl? Thanks.

rais · ‎02-05-2004

The FTP server, you are getting files from, might be trying to communicate with client at port 20, so you have to open that port up as well.

Thanks.