RE: simple access-list question

From: Dennis Hartmann (sanester8@xxxxxxxxx)
Date: Wed Oct 18 2000 - 15:11:33 GMT-3

• Next message: Andy Singh: "Which BGP class should i take???"
• Previous message: Price, Jamie: "RE: Summarization"
• Maybe in reply to: z z: "simple access-list question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
  I have learned that the client may use both ports 20
and 21 for different operations. This is why most
cable modem providers do not block port 20 (ftp-data)
even though they don't want people hosting FTP servers
over their personal cable modem connections. There
was an article in an old issue of Cisco's Internet
Protocol Journal (www.cisco.com/ipj/) written by Tom
Thomas in relation to this phenomena.

Sincerely,

Dennis Hartmann
AT&T GNS R&D
CCNP/CCDP/MCSE

--- z z <ccie_99@yahoo.com> wrote:
> Hi Johnson
>
>
> in case two you mean both the ftp-program and
> ftp-data
> ports are on the server?
> I thought ftp-data port is on the client.
>
> thanks
>
>
> -----Original Message-----
> From: Johnson, Charles
> To: 'z z'; ccielab@groupstudy.com
> Sent: 18/10/2000 6:51 PM
> Subject: RE: simple access-list question
>
> If the client supports passive-ftp, it is easy:
> allow
> both ports out
> from the client and tcp-established in to the client
> (
> or allow both
> ports FROM the server)
>
> Classic ftp is not that simple. 1) allow traffic
> from
> the client TO port
> 21 on the server (cisco calls port 21 "ftp") and, of
> course, allow the
> established packets back TO the client. If you
> don't
> like the
> established key word, you can allow traffic FROM
> port
> 21 on the server
> TO the client. 2) allow traffic FROM port 20 on the
> server (cisco cals
> port 20 ftp-data) to the client. and, of course,
> allow
> the establish
> packets from the client to get to port 20 (ftp-data)
> at the server.
>
> So, the answer to your simple question below is yes.
>
> -----Original Message-----
> From: z z [mailto:ccie_99@yahoo.com]
> Sent: Tuesday, October 17, 2000 9:59 PM
> To: ccielab@groupstudy.com
> Subject: simple access-list question
>
>
>
> a simple question. just do not have pc to test it:
> > if asked to configure access-list for ftp.
> > shall we consider both the ftp-program and
> ftp-data?
> >
> > if yes, shall we put the ftp-program (as the
> > destination tcp port) on the outbound, and put the
> > ftp-data (also destination tcp port?) on the
> inbound?
>
>

• Next message: Andy Singh: "Which BGP class should i take???"
• Previous message: Price, Jamie: "RE: Summarization"
• Maybe in reply to: z z: "simple access-list question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 08:25:27 GMT-3