Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VLAN Access-Maps - Client FTP

What's the best way to have a vlan access-map and to be able to have a client to use ftp going out. I have tried the established command and it seems not to work. What makes this situation difficult is the FTP server's are in a group that we don't always know the source IP of the FTP server. Any ideas other then general access-lists that open everything up?


Robert Raver

New Member

Re: VLAN Access-Maps - Client FTP

hey rob,

ftp uses two ports, tcp 20 (ftp-data) and tcp 21 (control). The client will initiate a connection to server on port 21 and the server will open a data connection on client port 20. Unless using passive FTP which the server will respond back with a random port for client to connect to for DATA.

if using standard ftp acl would look something like

vlan access-map VMAP 10

action forward

match ip address 110

ip access-list 110 permit tcp any eq 21 (allow inside host to connect to ftp servers)

ip access-list 110 permit tcp any eq 20 (allow ftp server to connect to hosts)

the result of this vlan access-map is that ftp will be allowed and all other traffic will be dropped due to the implicit deny at end of access-map. You'll need to add additional access-map statements to accomodate other traffic.

hope this helps.