Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

passive ftp not working on 2811

Hello all,

We recently replaced a pix 501 with a cisco 2811 in our head office. We have created and applied access lists and everything is working fine now except our passive ftp. Some of our clients who try to access our as400 via ftp can connect but cannot copy or view any listings in the directory. We are using the following lines in our access-list to control incoming ftp access.

access-list 111 permit tcp any gt 1023 host xxx.xx.xx.xxx eq ftp

access-list 111 permit tcp any gt 1023 host xxx.xx.xx.xxx gt 1023 established log

Please suggest.

Thanks in advance.

3 REPLIES
New Member

Re: passive ftp not working on 2811

For "passive" FTP, the connections will NOT be established as the client connects back to the server, source and destination ports > 1023. You cannot key these connections with "established".

Most FTP servers will allow you to specify a range of ports to use for incoming passive data connections. In vsftpd for example you can set "pasv_min_port" and "pasv_max_port" in /etc/vsftpd/vsftpd.conf to specify a range of ports to offer for passive data connections. You can then alter your second access-list permit to specify:

permit tcp any gt 1023 host a.b.c.d range min max

where "min" and "max" are the ports specified above.

If your server doesn't allow you to set the data port range, you will have to permit any gt 1023 (which is a large, gaping hole).

New Member

Re: passive ftp not working on 2811

Hi,

Hope FTP works with port 21 for authentication and port 20 for data transfer.

Hence please add the following ACL

access-list 111 permit tcp any gt 1023 host xxx.xx.xx.xxx eq ftp-data(port 20) and try.

Thanks...

New Member

Re: passive ftp not working on 2811

Hi,

We got our passive FTP working. We had to add CBAC in order for passive FTP to work on IOS version equipped with security. We added the following lines to our config:

ip inspect audit-trail

ip inspect name FTPRULENAME ftp alert on audit-trail on timeout 3600

Then in our access list on our external interface, we added these lines

access-list 101 permit tcp any gt 1023 host xxx.xx.xxx.xx eq ftp

access-list 101 permit tcp any gt 1023 host xxx.xx.xxx.xx gt 1023 established log

Now our passive FTP is working no problems.

331
Views
0
Helpful
3
Replies
CreatePlease to create content