cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
446
Views
8
Helpful
3
Replies

ACL for FTP

leungcm
Level 1
Level 1

Hi,

We add the ACL on the route for ftp service but we can login, we cannot "ls" or "dir". is it something missing? please advice

access-list 150 permit tcp any eq ftp host 202.x.x.x

access-list 150 permit tcp any eq ftp-data host 202.x.x.x

access-list 150 permit tcp any 202.x.x.x range ftp-data ftp

3 Replies 3

Pavel Bykov
Level 5
Level 5

(depending on the software used)FTP also establishes connection on dynamically negotiated ports (over 1023).

access-list 150 permit tcp any gt 1023 host 202.x.x.x

access-list 150 permit tcp any 202.x.x.x gt 1023

also, your ACL is two-way. ACLs are always applied in one direction. But i guess you can apply in both direction the same ACL.

This opens up a lot of ports though.

Hi,

any solution that we do not need to open all tcp great than 1024? or any work around? thanks

Best regards

purohit_810
Level 5
Level 5

Hi,

If you would access FTP server from Outside. Please configure as Below:

I am not able to see ant NAT statement.

interface Ethernet0

ip address 10.1.1.2 255.255.255.0

ip nat inside

!

interface Serial0

ip address 192.168.10.1 255.255.255.252

ip nat outside

!

ip nat service list 10 ftp tcp port 2021

ip nat inside source static 10.1.1.1 20.20.20.1

!--- Static NAT translation for inside local address 10.1.1.1

!--- to inside global address 20.20.20.1.

!

access-list 10 permit 10.1.1.1

Trouble shooting commands:

sh logs

Show ip nat translations

If you would know more about NAT: http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094e76.shtml

Regards,

Dharmesh Purohit

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco