Re: access-list help

From: Tony Olzak (aolzak@xxxxxxxxxxxxxxxxxxx)
Date: Thu Oct 26 2000 - 02:00:33 GMT-3

• Next message: Brett: "Multicasting"
• Previous message: Frank Jimenez: "Re: Loosing marks for extra commands"
• Maybe in reply to: Tony Olzak: "access-list help"
• Next in thread: Foltz: "Re: access-list help"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
I figured out the answer to my dumb question:

If I configure an access-list as follows:

interface serial 0
ip access-group ftp in
!
ip access-list extended ftp
 permit tcp any range 20 21 any established

That will allow source addresses with ports 20-21 with the ACK bit set to
come through the router. Now, if what Jack says is correct, and the server
initiates the session on port 20, then I'd have to change it to:

ip access-list extended ftp
 permit tcp any eq 21 any established
 permit tcp any eq 20 any

OK, now I just need to know if the server initiates the session on port 20
or if the host does. That will make the difference in the access-list used.

Tony

----- Original Message -----
From: "Jack Heney" <jheneyccie@hotmail.com>
To: <aolzak@buckeye-express.com>; <ramyers@cisco.com>;
<ccielab@groupstudy.com>
Sent: Wednesday, October 25, 2000 9:29 PM
Subject: Re: access-list help

> I did a little digging and the information I found indicates that the
client
> establishes a connection to port 21 for control purposes, but when the
> client requests a data transfer the ftp server establishes a new
connection
> sourced from port 20 for the data transfer. I'm not sure how reliable
this
> info is, so if anyone knows definitively one way or the other please let
me
> know. Thanks, Jack
>
>
> >From: "Tony Olzak" <aolzak@buckeye-express.com>
> >Reply-To: "Tony Olzak" <aolzak@buckeye-express.com>
> >To: "Jack Heney" <jheneyccie@hotmail.com>, <ramyers@cisco.com>,
> ><ccielab@groupstudy.com>
> >Subject: Re: access-list help
> >Date: Wed, 25 Oct 2000 20:26:28 -0400
> >
> >Yea, that was a typo. I meant port 21.
> >
> >Anyway, yes your access-list will allow any established sessions to come
> >back in, but it will allow ANY TCP sessions back instead of just FTP.
> >
> >In response to Jack, the source port will be 21 but the destination will
be
> >1024 if that's the port the host used when it initiated the session.
Caslow
> >has a section on this in the access-list portion of his book.
> >
> >
> >Tony
> >
> >----- Original Message -----
> >From: "Jack Heney" <jheneyccie@hotmail.com>
> >To: <ramyers@cisco.com>; <aolzak@buckeye-express.com>;
> ><ccielab@groupstudy.com>
> >Sent: Wednesday, October 25, 2000 6:53 PM
> >Subject: RE: access-list help
> >
> >
> > > On a somewhat related note, I know FTP uses port 21 for control and
port
> >20
> > > for data. Let's say a host establishes an FTP connection from port
1024
> >to
> > > port 21 and request a file transfer. Is the resultant transfer
sourced
> >from
> > > or destined for port 20? And if it is sourced from 20, is the
> >destination
> > > the same port as the original request (i.e. 1024)?
> > > Thanks,
> > > jack
> > >
> > >
> > > >From: "Rasheim Myers" <ramyers@cisco.com>
> > > >Reply-To: "Rasheim Myers" <ramyers@cisco.com>
> > > >To: "Tony Olzak" <aolzak@buckeye-express.com>,
<ccielab@groupstudy.com>
> > > >Subject: RE: access-list help
> > > >Date: Wed, 25 Oct 2000 18:23:33 -0400
> > > >
> > > >Hi Tony,
> > > >
> > > >The following inbound access-list line should help solve that
problem:
> > > >access-list 100 permit tcp any <host ip range> established
> > > >note:
> > > >I don't think you need the "eq ftp" for this line
> > > >
> > > >This will allow the "server" that you have established a connection
> >with
> >to
> > > >return packets to your hosts. You used the telnet tcp port (23) in
> >your
> > > >email. That is probably just a typo. Remember that FTP uses 2 ports
> >(21
> > > >and 20).
> > > >
> > > >I hope this information helps out.
> > > > -----Original Message-----
> > > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On
Behalf
> >Of
> > > >Tony Olzak
> > > > Sent: Wednesday, October 25, 2000 6:03 PM
> > > > To: ccielab@groupstudy.com
> > > > Subject: access-list help
> > > >
> > > >
> > > > This should be simple, and I'm probably making this way too
> >difficult,
> > > >but
> > > >how would you go about this access-list?
> > > >
> > > > This is an inbound access-list on a serial interface. The one line
> >I'm
> > > >having trouble with is this:
> > > >
> > > > FTP sessions are only allowed if established by a host on the
> >router's
> > > >ethernet segment.
> > > >
> > > > OK, that's great. Any host on the ethernet segment will send
packets
> >to
> > > >port 23, but returning packets will be to whatever port above 1023
that
> >the
> > > >host chose to use. If I just say:
> > > >
> > > > access-list 100 permit tcp any <host ip range> establish eq ftp
> > > >
> > > > This would only allow packets IN that are destined for port 23 and
> >have
> > > >the ACK bit. This does me no good because the source host is not
using
> >port
> > > >23 when trying to initiate an FTP session. If I say to any port
greater
> > > >than
> > > >1023, then I'm allowing traffic that was not specified in the lab. Am
I
> >way
> > > >off here? If so, how do I do this?
> > > >
> > > > Maybe the author of this practice lab didn't understand this
> >procedure?
> > > >
> > > > Tony
> > >
> > >

• Next message: Brett: "Multicasting"
• Previous message: Frank Jimenez: "Re: Loosing marks for extra commands"
• Maybe in reply to: Tony Olzak: "access-list help"
• Next in thread: Foltz: "Re: access-list help"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 08:25:30 GMT-3