Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Best way to allow FTP in IOS access-list

Guys,

what is the best way to allow FTP xfer's on high ports numbers through an IOS based ACL? I want to tell the router only to allow FTP transfer on the high port numbers, not anything else. Is this possible?

For example I use the following extended ACL commands for a particualr host :

access-list 120 permit tcp any host 1.1.1.1 range ftp-data ftp

access-list 120 permit tcp any host 1.1.1.1 gt 1400

Without the second line I am not able to get the data through. Ie I can log onto a FTP site, but can't get any data, since FTP "overflows" onto higher port numbers. I thought there was a particualr range that FTP uses for this "overflow" but I don't think that this is true.

The problem is that the router/hosts are now obviously volunerable to attacks on port numbers higher than 1400.

Anyway, hope this is possible in IOS ...

  • Other Security Subjects
1 REPLY
Cisco Employee

Re: Best way to allow FTP in IOS access-list

Your ACL is right, but as you said, you are going to open for all ports even when no FTP traffic and anyone can exploit the ports.

The best way to do this on IOS, is use IOS Firewall (CBAC) which inspects on protocol-basis such as TCP, UDP, FTP, HTTP etc and dynamically opens holes as traffic returns back to your router, you do not have to permit all the ports. Here is few example and reading URLs about CBAC

http://www.cisco.com/univercd/cc/td/doc/product/software/ios113ed/113t/113t_3/firewall.htm

http://www.cisco.com/warp/public/cc/pd/iosw/ioft/iofwft/prodlit/fire_ds.htm

http://www.cisco.com/warp/public/707/index.shtml#IOS

HTH

R/Yusuf

440
Views
0
Helpful
1
Replies
This widget could not be displayed.