08-03-2007 02:43 AM - edited 03-03-2019 06:09 PM
Hi,
We add the ACL on the route for ftp service but we can login, we cannot "ls" or "dir". is it something missing? please advice
access-list 150 permit tcp any eq ftp host 202.x.x.x
access-list 150 permit tcp any eq ftp-data host 202.x.x.x
access-list 150 permit tcp any 202.x.x.x range ftp-data ftp
08-03-2007 03:45 AM
(depending on the software used)FTP also establishes connection on dynamically negotiated ports (over 1023).
access-list 150 permit tcp any gt 1023 host 202.x.x.x
access-list 150 permit tcp any 202.x.x.x gt 1023
also, your ACL is two-way. ACLs are always applied in one direction. But i guess you can apply in both direction the same ACL.
This opens up a lot of ports though.
08-03-2007 06:07 AM
Hi,
any solution that we do not need to open all tcp great than 1024? or any work around? thanks
Best regards
08-03-2007 06:19 AM
Hi,
If you would access FTP server from Outside. Please configure as Below:
I am not able to see ant NAT statement.
interface Ethernet0
ip address 10.1.1.2 255.255.255.0
ip nat inside
!
interface Serial0
ip address 192.168.10.1 255.255.255.252
ip nat outside
!
ip nat service list 10 ftp tcp port 2021
ip nat inside source static 10.1.1.1 20.20.20.1
!--- Static NAT translation for inside local address 10.1.1.1
!--- to inside global address 20.20.20.1.
!
access-list 10 permit 10.1.1.1
Trouble shooting commands:
sh logs
Show ip nat translations
If you would know more about NAT: http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094e76.shtml
Regards,
Dharmesh Purohit
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: