02-05-2004 07:13 AM - edited 03-02-2019 01:23 PM
We are trying to set up an ACL on an ISDN connection between 2 sites for ftp data transfer only and only between specific machines. So far we have the following on the remote side and we can send files to them fine, but receive errors when trying to receive files.
access-list 101 permit tcp any any established log
access-list 101 permit udp any eq rip any log
access-list 101 permit tcp 155.84.x.x 0.0.x.x host 198.215.x.x eq ftp log
access-list 101 permit tcp host 155.84.x.x host 198.215.x.x eq ftp log
access-list 101 permit tcp host 155.84.x.x host 198.215.x.x eq ftp log
access-list 101 permit tcp host 155.84.x.x host 155.84.x.x eq telnet log
access-list 101 deny ip any any log
We have applied this on the dialer int as follows:
interface Dialer1
ip address 155.84.x.x 255.255.x.x
ip access-group 101 in
Since we are only worried about incoming traffic on the remote side, why would it effect what leaves the router when we are trying to receive files? Any ideas would be appreciated.
Paula
02-05-2004 07:44 AM
Apparently, your FTP is in active mode. This will require you to let 'ftp-data', port # 20, in as well.
Alternatively, you can change your FTP mode to passive.
Thanks.
02-05-2004 08:35 AM
Thank you. I was just considering that as well. However, the ip address (ftp server) that we need to receive files from, we did not include in our access list because the acl is only applied to inbound traffic. We only included the ftp server that we push files to which is a different ip. Do we need to include the other? Or do we need an outbound acl? Thanks.
02-05-2004 09:07 AM
The FTP server, you are getting files from, might be trying to communicate with client at port 20, so you have to open that port up as well.
Thanks.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: