From: z z (ccie_99@xxxxxxxxx)
Date: Wed Oct 18 2000 - 09:07:58 GMT-3
Hi Johnson
in case two you mean both the ftp-program and ftp-data
ports are on the server?
I thought ftp-data port is on the client.
thanks
-----Original Message-----
From: Johnson, Charles
To: 'z z'; ccielab@groupstudy.com
Sent: 18/10/2000 6:51 PM
Subject: RE: simple access-list question
If the client supports passive-ftp, it is easy: allow
both ports out
from the client and tcp-established in to the client (
or allow both
ports FROM the server)
Classic ftp is not that simple. 1) allow traffic from
the client TO port
21 on the server (cisco calls port 21 "ftp") and, of
course, allow the
established packets back TO the client. If you don't
like the
established key word, you can allow traffic FROM port
21 on the server
TO the client. 2) allow traffic FROM port 20 on the
server (cisco cals
port 20 ftp-data) to the client. and, of course, allow
the establish
packets from the client to get to port 20 (ftp-data)
at the server.
So, the answer to your simple question below is yes.
-----Original Message-----
From: z z [mailto:ccie_99@yahoo.com]
Sent: Tuesday, October 17, 2000 9:59 PM
To: ccielab@groupstudy.com
Subject: simple access-list question
a simple question. just do not have pc to test it:
> if asked to configure access-list for ftp.
> shall we consider both the ftp-program and ftp-data?
>
> if yes, shall we put the ftp-program (as the
> destination tcp port) on the outbound, and put the
> ftp-data (also destination tcp port?) on the
inbound?
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 08:25:27 GMT-3