Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

uy
New Member

problem with extended access list to allow ftp

ftp only works if i don't use access list or use:

permit ip src_IP1 dst_ip2

or both statements

permit tcp src_ip1dst_ip2

permit udp src_ip1dst_ip2

does not work with the following config:

int fastethernet 0/0

ip address 172.16.53.131 255.255.255.0

ip access-group FastEther_in in

!

ip access-list extended FastEther_in

permit tcp 209.246.0.0 0.0.255.255 any eq ftp

what am i doing wrong?

2 REPLIES
Bronze

Re: problem with extended access list to allow ftp

Hi,

Add a "deny ip any any" statement towards the end of the above ACL with log option , and see if you are getting FTP packets denied by the above ACL, as this ACL is being used as inbound FW ACL, it could be because of FTP server location, source IP address(es), FTP port being used etc. etc.

you can try by permitting "eq ftp-data" as well.

Thanks,

Afaq

uy
New Member

Re: problem with extended access list to allow ftp

i monitored the ftp session from the client side and saw the correct sorc/dst IP pairs and the server using the ftp port..

(client is webproxy07, server is 207.251.71.198), the client initiates the connection inbount to the router..

Using device /dev/qfe (promiscuous mode)

webproxy07 -> 207.251.71.198 FTP C port=57076

207.251.71.198 -> webproxy07 FTP R port=57076

webproxy07 -> 207.251.71.198 FTP C port=57076

132
Views
0
Helpful
2
Replies
CreatePlease login to create content