Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

eap
New Member

Access control list for ftp

We are trying to set up an ACL on an ISDN connection between 2 sites for ftp data transfer only and only between specific machines. So far we have the following on the remote side and we can send files to them fine, but receive errors when trying to receive files.

access-list 101 permit tcp any any established log

access-list 101 permit udp any eq rip any log

access-list 101 permit tcp 155.84.x.x 0.0.x.x host 198.215.x.x eq ftp log

access-list 101 permit tcp host 155.84.x.x host 198.215.x.x eq ftp log

access-list 101 permit tcp host 155.84.x.x host 198.215.x.x eq ftp log

access-list 101 permit tcp host 155.84.x.x host 155.84.x.x eq telnet log

access-list 101 deny ip any any log

We have applied this on the dialer int as follows:

interface Dialer1

ip address 155.84.x.x 255.255.x.x

ip access-group 101 in

Since we are only worried about incoming traffic on the remote side, why would it effect what leaves the router when we are trying to receive files? Any ideas would be appreciated.

Paula

3 REPLIES
Silver

Re: Access control list for ftp

Apparently, your FTP is in active mode. This will require you to let 'ftp-data', port # 20, in as well.

Alternatively, you can change your FTP mode to passive.

Thanks.

eap
New Member

Re: Access control list for ftp

Thank you. I was just considering that as well. However, the ip address (ftp server) that we need to receive files from, we did not include in our access list because the acl is only applied to inbound traffic. We only included the ftp server that we push files to which is a different ip. Do we need to include the other? Or do we need an outbound acl? Thanks.

Silver

Re: Access control list for ftp

The FTP server, you are getting files from, might be trying to communicate with client at port 20, so you have to open that port up as well.

Thanks.

310
Views
0
Helpful
3
Replies
CreatePlease login to create content