Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Extended ACL and FTP

We have adjusted our ACL and removed permitting tcp any any gt 1023 and replaced it with the any any established command but this broke ftp. The ACL is applied out on the ethernet interface into the local network. How do I securely add FTP?

permit tcp any any established

???

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: Extended ACL and FTP

Maybe this link should help.

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_example09186a0080100548.shtml

Also what we do is define a range of ports for passive ftp. For example 6000 to 6100.

So instead you use

access-list 100 permit tcp any host 192.168.1.100 gt 1023

You should use

access-list 100 permit tcp any host 192.168.1.100 range 6000 6100

But, in my opinion, from the server's view, active FTP is more secure than passive.

Hope this helps

2 REPLIES
Hall of Fame Super Blue

Re: Extended ACL and FTP

Tory

Do you know whether it is active or passive FTP. If active then the FTP server makes a new connection back to the client which would be allowed by tcp any any gt 1023 but not by any any established.

Is the device you have the acl on a router or firewall ?

Jon

New Member

Re: Extended ACL and FTP

Maybe this link should help.

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_example09186a0080100548.shtml

Also what we do is define a range of ports for passive ftp. For example 6000 to 6100.

So instead you use

access-list 100 permit tcp any host 192.168.1.100 gt 1023

You should use

access-list 100 permit tcp any host 192.168.1.100 range 6000 6100

But, in my opinion, from the server's view, active FTP is more secure than passive.

Hope this helps

166
Views
0
Helpful
2
Replies