Solved: Extended ACL and FTP

vblaha · ‎05-07-2009

We have adjusted our ACL and removed permitting tcp any any gt 1023 and replaced it with the any any established command but this broke ftp. The ACL is applied out on the ethernet interface into the local network. How do I securely add FTP?

permit tcp any any established

???

marcelo.zilio · ‎05-07-2009

Maybe this link should help.

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_example09186a0080100548.shtml

Also what we do is define a range of ports for passive ftp. For example 6000 to 6100.

So instead you use

access-list 100 permit tcp any host 192.168.1.100 gt 1023

You should use

access-list 100 permit tcp any host 192.168.1.100 range 6000 6100

But, in my opinion, from the server's view, active FTP is more secure than passive.

Hope this helps

View solution in original post

Jon Marshall · ‎05-07-2009

Tory

Do you know whether it is active or passive FTP. If active then the FTP server makes a new connection back to the client which would be allowed by tcp any any gt 1023 but not by any any established.

Is the device you have the acl on a router or firewall ?

Jon

marcelo.zilio · ‎05-07-2009