Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

ACL for FTP

Hi,

We add the ACL on the route for ftp service but we can login, we cannot "ls" or "dir". is it something missing? please advice

access-list 150 permit tcp any eq ftp host 202.x.x.x

access-list 150 permit tcp any eq ftp-data host 202.x.x.x

access-list 150 permit tcp any 202.x.x.x range ftp-data ftp

3 REPLIES
Silver

Re: ACL for FTP

(depending on the software used)FTP also establishes connection on dynamically negotiated ports (over 1023).

access-list 150 permit tcp any gt 1023 host 202.x.x.x

access-list 150 permit tcp any 202.x.x.x gt 1023

also, your ACL is two-way. ACLs are always applied in one direction. But i guess you can apply in both direction the same ACL.

This opens up a lot of ports though.

New Member

Re: ACL for FTP

Hi,

any solution that we do not need to open all tcp great than 1024? or any work around? thanks

Best regards

Silver

Re: ACL for FTP

Hi,

If you would access FTP server from Outside. Please configure as Below:

I am not able to see ant NAT statement.

interface Ethernet0

ip address 10.1.1.2 255.255.255.0

ip nat inside

!

interface Serial0

ip address 192.168.10.1 255.255.255.252

ip nat outside

!

ip nat service list 10 ftp tcp port 2021

ip nat inside source static 10.1.1.1 20.20.20.1

!--- Static NAT translation for inside local address 10.1.1.1

!--- to inside global address 20.20.20.1.

!

access-list 10 permit 10.1.1.1

Trouble shooting commands:

sh logs

Show ip nat translations

If you would know more about NAT: http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094e76.shtml

Regards,

Dharmesh Purohit

203
Views
8
Helpful
3
Replies
CreatePlease to create content