Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACL filtering destination port

I want to apply an ACL controling what services are permitted on the Internet. So I will create an ACL on the Inside interface IN that will allow for 80,53,20,21 etc... My question is regarding FTP, from my log analysis I see that during FTP many ports are used in the high range(I guess this is part of the Active mode) if I don't enter all those ports in my access-list will the fixup compensate for those or will the FTP fail.

Cisco Employee

Re: ACL filtering destination port


Fixup protocol ftp 21 should open up those ports dynamically.



Re: ACL filtering destination port


Fixup ftp performs several functions with respect to ftp traffic. One of which is monitoring active ftp communications. In an active mode, ftp clients send PORT commands to the server instructing that server to connect back to them on random high ports (normally). The PIX is able to look at the PORT commands and open a connection on the PIX to allow the server to connect back to the client on this high port. In your case, it sounds like the ftp server is inside the PIX and the clients are outside. Is that correct? If you want to apply an ACL to your inside interface to prevent your internal clients from opening random connections, you can do this. In this case, the 'fixup ftp' command should monitor the traffic and punch a dynamic hole in the inside access-list to allow the internal server to connect back to the external client on the random high port. If this is not the scenerio you are referring to, please let us know. Thanks.


CreatePlease to create content