ACL to Block FTP servers

rickg · ‎10-03-2002

Hi!

I am in a campus environment and I am trying to disallow ftp servers in our dorm area but allow them to be able to connected to a ftp server on the other side of the router. I am working with a 7206 router. Can someone help me with acl to accomplish this?

Thanks in advance,

Rick

thisisshanky · ‎10-03-2002

FIrst of all you would need to record the ip address of ftp server. x.x.x.x

on the interface of router which connects to the ftp server, you can set an outbound access-list which would permit...access for those on other side of router, while denying access to those in dorm area.

assuming dorm area has network y.y.y.y

and the other side of router has network z.z.z.z

access-list 100 permit tcp z.z.z.z host eq ftp

access-list 100 deny tcp y.y.y.y host eq ftp

the last statement is not really needed, because there is always an implicit deny.

Wild card mask = inverse of network mask for that subnet.

To apply this to an interface...as outbound.

int fa0/0

ip access-group 100 out

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus

steve.barlow · ‎10-03-2002

So you want to be able to let your dorm area to access an outside FTP server, but not allow FTP in?

If this is true:

(dorm area-10.1.1.0)7206(e0/0- other_side_ftp server x.x.x.x)

int e0/0

ip access-group 110 in

!

access-list 110 permit tcp host x.x.x.x 10.1.1.0 0.0.0.255 established (allows passive ftp)

access-list 110 permit tcp host x.x.x.x eq ftp-data 10.1.1.0 0.0.0.255 (allows active ftp)

access-list 110 deny tcp any 10.1.1.0 0.0.0.255 eq ftp (disallow all other ftp in)

access-list 110 permit ip any any (permit everything else - or only allow what you want)

Hope it helps

Steve