Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ACL to Block FTP servers


I am in a campus environment and I am trying to disallow ftp servers in our dorm area but allow them to be able to connected to a ftp server on the other side of the router. I am working with a 7206 router. Can someone help me with acl to accomplish this?

Thanks in advance,



Re: ACL to Block FTP servers

FIrst of all you would need to record the ip address of ftp server. x.x.x.x

on the interface of router which connects to the ftp server, you can set an outbound access-list which would permit...access for those on other side of router, while denying access to those in dorm area.

assuming dorm area has network y.y.y.y

and the other side of router has network z.z.z.z

access-list 100 permit tcp z.z.z.z host eq ftp

access-list 100 deny tcp y.y.y.y host eq ftp

the last statement is not really needed, because there is always an implicit deny.

Wild card mask = inverse of network mask for that subnet.

To apply this to an outbound.

int fa0/0

ip access-group 100 out

Re: ACL to Block FTP servers

So you want to be able to let your dorm area to access an outside FTP server, but not allow FTP in?

If this is true:

(dorm area- other_side_ftp server x.x.x.x)

int e0/0

ip access-group 110 in


access-list 110 permit tcp host x.x.x.x established (allows passive ftp)

access-list 110 permit tcp host x.x.x.x eq ftp-data (allows active ftp)

access-list 110 deny tcp any eq ftp (disallow all other ftp in)

access-list 110 permit ip any any (permit everything else - or only allow what you want)

Hope it helps