Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
439
Views
0
Helpful
1
Replies

VLAN Access-Maps - Client FTP

rraver
Level 1
Level 1

‎05-10-2006 10:12 AM - edited ‎03-03-2019 03:09 AM

What's the best way to have a vlan access-map and to be able to have a client to use ftp going out. I have tried the established command and it seems not to work. What makes this situation difficult is the FTP server's are in a group that we don't always know the source IP of the FTP server. Any ideas other then general access-lists that open everything up?

Thanks,

Robert Raver

Labels:
0 Helpful
1 Reply 1

bigchoice75
Level 1
Level 1

‎05-10-2006 06:59 PM

hey rob,

ftp uses two ports, tcp 20 (ftp-data) and tcp 21 (control). The client will initiate a connection to server on port 21 and the server will open a data connection on client port 20. Unless using passive FTP which the server will respond back with a random port for client to connect to for DATA.

if using standard ftp acl would look something like

vlan access-map VMAP 10

action forward

match ip address 110

ip access-list 110 permit tcp 10.10.10.0 0.0.0.255 any eq 21 (allow inside host to connect to ftp servers)

ip access-list 110 permit tcp any 10.10.10.0 0.0.0.255 eq 20 (allow ftp server to connect to hosts)

the result of this vlan access-map is that ftp will be allowed and all other traffic will be dropped due to the implicit deny at end of access-map. You'll need to add additional access-map statements to accomodate other traffic.

hope this helps.

kevin

0 Helpful
Customers Also Viewed These Support Documents