what is the best way to allow FTP xfer's on high ports numbers through an IOS based ACL? I want to tell the router only to allow FTP transfer on the high port numbers, not anything else. Is this possible?
For example I use the following extended ACL commands for a particualr host :
access-list 120 permit tcp any host 184.108.40.206 range ftp-data ftp
access-list 120 permit tcp any host 220.127.116.11 gt 1400
Without the second line I am not able to get the data through. Ie I can log onto a FTP site, but can't get any data, since FTP "overflows" onto higher port numbers. I thought there was a particualr range that FTP uses for this "overflow" but I don't think that this is true.
The problem is that the router/hosts are now obviously volunerable to attacks on port numbers higher than 1400.
Your ACL is right, but as you said, you are going to open for all ports even when no FTP traffic and anyone can exploit the ports.
The best way to do this on IOS, is use IOS Firewall (CBAC) which inspects on protocol-basis such as TCP, UDP, FTP, HTTP etc and dynamically opens holes as traffic returns back to your router, you do not have to permit all the ports. Here is few example and reading URLs about CBAC
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...