Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Deny FTP Access

If I want to define an access list to prevent any host on subnet 10.0.1.0/24 from obtaining FTP access to server 10.0.2.5 can I use the single access list statement :-

access-list 101 deny tcp 10.0.1.0 0.0.0.255 host 10.0.2.5 eq ftp

or, because ftp uses both ports 20 and 21, do I have to enter two seperate statements :-

access-list 101 deny tcp 10.0.1.0 0.0.0.255 host 10.0.2.5 eq 20

and

access-list 101 deny tcp 10.0.1.0 0.0.0.255 host 10.0.2.5 eq 21

3 REPLIES
New Member

Re: Deny FTP Access

single statement would suffice.

However, the acl is on port based, if ftp server is using port other than 21 than ftp still would be allowed.

Better to use NBAR which actually inspect the protocol and can identify ftp data even if ftp service is hosted on different ports.

Here's the link for NBAR:-

http://www.cisco.com/en/US/products/ps6616/products_ios_protocol_group_home.html

Solution purely depends on ur infra. if the destination ftp access also resides in your domain, than u migh t be having knowleged of the port the ftp service is running on...

Re: Deny FTP Access

hi there

i think u'd better try the next ACLs which contain the tow ports 20 and 21 of ftp to adviod the standard and passive modes of ftp connections

Marwan

New Member

Re: Deny FTP Access

Not needed bcos 21 is used by server to client..which any will be dropped if not explictly allowed in acl

278
Views
6
Helpful
3
Replies