Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
337
Views
4
Helpful
2
Replies

ACLs

Go to solution
b.go
Level 1
Level 1

‎06-23-2003 04:53 PM - edited ‎03-02-2019 08:21 AM

hi, i've just put my new web-server into DMZ zone and allowed only http, ftp(from internal), echo access into it. but i'm still confused between in and out ACLs. Now I am not able to update or browse from this server.

They seem OK to me, since I am the one who wrote these ACLs.

Acl 102 is applied on f0/1 (out), and 103 on f0/1 (in).

Many thanks for any suggestions and helps.

access-list 102 permit tcp any host ip.of.web.srv established

access-list 102 permit tcp any host ip.of.web.srv eq www

access-list 102 permit icmp any host ip.of.web.srv echo

access-list 102 permit tcp internal.local.net net_mask gt 1023 host ip.of.web.srv eq ftp

access-list 103 permit tcp host ip.of.web.srv any established

access-list 103 permit tcp host ip.of.web.srv gt 1023 any eq www

access-list 103 permit tcp host ip.of.web.srv gt 1023 any eq ftp

access-list 103 permit icmp host ip.of.web.srv any echo-reply

access-list 103 permit tcp host ip.of.web.srv gt 1023 any eq domain

access-list 103 permit udp host ip.of.web.srv gt 1023 any eq domain

Best regards,

b.go

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
konigl
Level 7
Level 7

‎06-24-2003 07:55 AM

Regarding the "unable to update FTP" issue, it looks like your access-lists should have the command/control connection set up OK, but I see no provisions for the data connection. Data connection can also be either Active FTP or Passive FTP.

Here's some lines that should work for you, to allow users on your internal.local.net to update your ip.of.web.serv using FTP:

! For command/control connection

access-list 102 permit tcp internal.local.net net_mask gt 1023 host ip.of.web.srv eq ftp

! for ACTIVE FTP data connection

access-list 102 permit tcp internal.local.net net_mask gt 1023 host ip.of.web.srv eq ftp-data established

! for PASSIVE FTP data connection

access-list 102 permit tcp internal.local.net net_mask gt 1023 host ip.of.web.srv gt 1023

! for command/control connection

access-list 103 permit tcp host ip.of.web.srv eq ftp any gt 1023 established

! for ACTIVE FTP data connection

access-list 103 permit tcp host ip.of.web.srv eq ftp-data any gt 1023

! for PASSIVE FTP data connection

access-list 103 permit tcp host ip.of.web.srv gt 1023 any gt 1023 established

Regarding the "unable to browse from this server" issue, it looks like your access-list 102 does not allow UDP-based DNS Server replies back to your machine. UDP is what's generally used for client-to-DNS-Server address resolution requests. Try these:

access-list 102 permit udp any eq domain host ip.of.web.srv gt 1023

access-list 103 permit udp host ip.of.web.srv gt 1023 any eq domain

Hope this helps.

View solution in original post

2 Replies 2

Go to solution
konigl
Level 7
Level 7

‎06-24-2003 07:55 AM

Regarding the "unable to update FTP" issue, it looks like your access-lists should have the command/control connection set up OK, but I see no provisions for the data connection. Data connection can also be either Active FTP or Passive FTP.

Here's some lines that should work for you, to allow users on your internal.local.net to update your ip.of.web.serv using FTP:

! For command/control connection

access-list 102 permit tcp internal.local.net net_mask gt 1023 host ip.of.web.srv eq ftp

! for ACTIVE FTP data connection

access-list 102 permit tcp internal.local.net net_mask gt 1023 host ip.of.web.srv eq ftp-data established

! for PASSIVE FTP data connection

access-list 102 permit tcp internal.local.net net_mask gt 1023 host ip.of.web.srv gt 1023

! for command/control connection

access-list 103 permit tcp host ip.of.web.srv eq ftp any gt 1023 established

! for ACTIVE FTP data connection

access-list 103 permit tcp host ip.of.web.srv eq ftp-data any gt 1023

! for PASSIVE FTP data connection

access-list 103 permit tcp host ip.of.web.srv gt 1023 any gt 1023 established

Regarding the "unable to browse from this server" issue, it looks like your access-list 102 does not allow UDP-based DNS Server replies back to your machine. UDP is what's generally used for client-to-DNS-Server address resolution requests. Try these:

access-list 102 permit udp any eq domain host ip.of.web.srv gt 1023

access-list 103 permit udp host ip.of.web.srv gt 1023 any eq domain

Hope this helps.

Go to solution
b.go
Level 1
Level 1
In response to konigl

‎06-26-2003 02:53 AM

Hi, many thanks for your helps.

I'll need to study this further, still a little bit confused about command/control connection for ftp. All these works perfectly.

Thank you.

Best regards,

b.go

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents