We recently replaced a pix 501 with a cisco 2811 in our head office. We have created and applied access lists and everything is working fine now except our passive ftp. Some of our clients who try to access our as400 via ftp can connect but cannot copy or view any listings in the directory. We are using the following lines in our access-list to control incoming ftp access.
For "passive" FTP, the connections will NOT be established as the client connects back to the server, source and destination ports > 1023. You cannot key these connections with "established".
Most FTP servers will allow you to specify a range of ports to use for incoming passive data connections. In vsftpd for example you can set "pasv_min_port" and "pasv_max_port" in /etc/vsftpd/vsftpd.conf to specify a range of ports to offer for passive data connections. You can then alter your second access-list permit to specify:
permit tcp any gt 1023 host a.b.c.d range min max
where "min" and "max" are the ports specified above.
If your server doesn't allow you to set the data port range, you will have to permit any gt 1023 (which is a large, gaping hole).
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :