I dial a remote local from my 2600 and we acess some remote servers, via passive FTP. My local router has no ACL, everything is permited. I need to have an ACL on the remote router that permits only my passive FTP connections. But the thing is that while the command channel is on port 21, the data channel is always on a different port, due to the passive nature of the FTP. So an ACL as this wont work.
access-list 101 permit tcp 126.96.36.199 255.255.255.0 any eq ftp
access-list 101 permit tcp 188.8.131.52 255.255.255.0 any eq ftp-data
It will allow me to connect but when I will issue a "ls" or a "get", it wont work because the port will not be "ftp-data" but something like 30054, which of course is not permited.
Any suggestions how can I do this are appreciated.
You could have an additional entry in the ACL 101 permitting traffic for ports greater than 1024. This would mean that there is a certain amount out risk. The other solution is to use the IOS Firewall feature set and implement the CBAC. More info on the below url;
A little confusion here... Is the topology like this?
FTP client------ your router---------internet--------customer router-------FTP server.
Where is the ACL 101 applied and in which direction? If the above topology is correct and you are initiating the FTP to the FTP server then there should not be a problem in opening up ports > 1024 in the OUT direction of the customer router on outside interface.
Since this is passive FTP, the port negotiation is always done by the FTP client and always on a higher port as in your case port 3000x. The customer router need to open up an hole for the <1024 from your FTP client.
CBAC also won't help here. I'll dig into further and let you know of any findings.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...