access list for ftp

Discussion in 'Cisco' started by Ramon Barquier, Jan 22, 2004.

  1. Hi,

    we have an access-list in our router for permit the ftp traffic only for
    certains destinations ip. The rules are:

    access-list 102 permit tcp any host aaa.bbb.ccc.ddd eq 21
    access-list 102 permit tcp any eq ftp-data host aaa.bbb.ccc.ddd gt 1023

    This work fine with ftp commands but not when attempt to make a browser
    connection to the ftp server.

    Any suggestion on how i would make this rule?


    --
    Ramón Barquier Montalbán
    Servei d'Informàtica

    Edifici D
    Campus de la UAB
    08193 Bellaterra. Barcelona
    Tel. +34 935 811 488 Fax: +34 935 812 094

    www.uab.es/si
     
    Ramon Barquier, Jan 22, 2004
    #1
    1. Advertisements

  2. :we have an access-list in our router for permit the ftp traffic only for
    :certains destinations ip. The rules are:

    :access-list 102 permit tcp any host aaa.bbb.ccc.ddd eq 21
    :access-list 102 permit tcp any eq ftp-data host aaa.bbb.ccc.ddd gt 1023

    :This work fine with ftp commands but not when attempt to make a browser
    :connection to the ftp server.

    Speculating here:

    - the browsers might be attempting to contact the remote host on port 20
    (ftp-data)

    - the browsers might be using passive ftp from a port other than
    port ftp-data .

    At the end of your list, put in

    access-list 102 deny ip any any log-input

    and monitor your logs to see what is being attempted.
     
    Walter Roberson, Jan 22, 2004
    #2
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.