From: Foltz (globalfx@xxxxxxxxxxxxxx)
Date: Thu Oct 26 2000 - 09:40:55 GMT-3
Yes the server initiates the connection on port 20 back to the client.
Richard Foltz, CCNP-Voice, CCNP, CCDP, MCSE+I, Network+, A+
Halifax (12/4-5/2000)
Network Infrastructure Engineer
ZettaWorks
----- Original Message -----
From: "Tony Olzak" <aolzak@buckeye-express.com>
To: "Jack Heney" <jheneyccie@hotmail.com>; <ramyers@cisco.com>;
<ccielab@groupstudy.com>
Sent: Thursday, October 26, 2000 12:00 AM
Subject: Re: access-list help
> I figured out the answer to my dumb question:
>
> If I configure an access-list as follows:
>
> interface serial 0
> ip access-group ftp in
> !
> ip access-list extended ftp
> permit tcp any range 20 21 any established
>
> That will allow source addresses with ports 20-21 with the ACK bit set to
> come through the router. Now, if what Jack says is correct, and the server
> initiates the session on port 20, then I'd have to change it to:
>
> ip access-list extended ftp
> permit tcp any eq 21 any established
> permit tcp any eq 20 any
>
> OK, now I just need to know if the server initiates the session on port 20
> or if the host does. That will make the difference in the access-list
used.
>
> Tony
>
> ----- Original Message -----
> From: "Jack Heney" <jheneyccie@hotmail.com>
> To: <aolzak@buckeye-express.com>; <ramyers@cisco.com>;
> <ccielab@groupstudy.com>
> Sent: Wednesday, October 25, 2000 9:29 PM
> Subject: Re: access-list help
>
>
> > I did a little digging and the information I found indicates that the
> client
> > establishes a connection to port 21 for control purposes, but when the
> > client requests a data transfer the ftp server establishes a new
> connection
> > sourced from port 20 for the data transfer. I'm not sure how reliable
> this
> > info is, so if anyone knows definitively one way or the other please let
> me
> > know. Thanks, Jack
> >
> >
> > >From: "Tony Olzak" <aolzak@buckeye-express.com>
> > >Reply-To: "Tony Olzak" <aolzak@buckeye-express.com>
> > >To: "Jack Heney" <jheneyccie@hotmail.com>, <ramyers@cisco.com>,
> > ><ccielab@groupstudy.com>
> > >Subject: Re: access-list help
> > >Date: Wed, 25 Oct 2000 20:26:28 -0400
> > >
> > >Yea, that was a typo. I meant port 21.
> > >
> > >Anyway, yes your access-list will allow any established sessions to
come
> > >back in, but it will allow ANY TCP sessions back instead of just FTP.
> > >
> > >In response to Jack, the source port will be 21 but the destination
will
> be
> > >1024 if that's the port the host used when it initiated the session.
> Caslow
> > >has a section on this in the access-list portion of his book.
> > >
> > >
> > >Tony
> > >
> > >----- Original Message -----
> > >From: "Jack Heney" <jheneyccie@hotmail.com>
> > >To: <ramyers@cisco.com>; <aolzak@buckeye-express.com>;
> > ><ccielab@groupstudy.com>
> > >Sent: Wednesday, October 25, 2000 6:53 PM
> > >Subject: RE: access-list help
> > >
> > >
> > > > On a somewhat related note, I know FTP uses port 21 for control and
> port
> > >20
> > > > for data. Let's say a host establishes an FTP connection from port
> 1024
> > >to
> > > > port 21 and request a file transfer. Is the resultant transfer
> sourced
> > >from
> > > > or destined for port 20? And if it is sourced from 20, is the
> > >destination
> > > > the same port as the original request (i.e. 1024)?
> > > > Thanks,
> > > > jack
> > > >
> > > >
> > > > >From: "Rasheim Myers" <ramyers@cisco.com>
> > > > >Reply-To: "Rasheim Myers" <ramyers@cisco.com>
> > > > >To: "Tony Olzak" <aolzak@buckeye-express.com>,
> <ccielab@groupstudy.com>
> > > > >Subject: RE: access-list help
> > > > >Date: Wed, 25 Oct 2000 18:23:33 -0400
> > > > >
> > > > >Hi Tony,
> > > > >
> > > > >The following inbound access-list line should help solve that
> problem:
> > > > >access-list 100 permit tcp any <host ip range> established
> > > > >note:
> > > > >I don't think you need the "eq ftp" for this line
> > > > >
> > > > >This will allow the "server" that you have established a connection
> > >with
> > >to
> > > > >return packets to your hosts. You used the telnet tcp port (23) in
> > >your
> > > > >email. That is probably just a typo. Remember that FTP uses 2
ports
> > >(21
> > > > >and 20).
> > > > >
> > > > >I hope this information helps out.
> > > > > -----Original Message-----
> > > > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On
> Behalf
> > >Of
> > > > >Tony Olzak
> > > > > Sent: Wednesday, October 25, 2000 6:03 PM
> > > > > To: ccielab@groupstudy.com
> > > > > Subject: access-list help
> > > > >
> > > > >
> > > > > This should be simple, and I'm probably making this way too
> > >difficult,
> > > > >but
> > > > >how would you go about this access-list?
> > > > >
> > > > > This is an inbound access-list on a serial interface. The one
line
> > >I'm
> > > > >having trouble with is this:
> > > > >
> > > > > FTP sessions are only allowed if established by a host on the
> > >router's
> > > > >ethernet segment.
> > > > >
> > > > > OK, that's great. Any host on the ethernet segment will send
> packets
> > >to
> > > > >port 23, but returning packets will be to whatever port above 1023
> that
> > >the
> > > > >host chose to use. If I just say:
> > > > >
> > > > > access-list 100 permit tcp any <host ip range> establish eq ftp
> > > > >
> > > > > This would only allow packets IN that are destined for port 23
and
> > >have
> > > > >the ACK bit. This does me no good because the source host is not
> using
> > >port
> > > > >23 when trying to initiate an FTP session. If I say to any port
> greater
> > > > >than
> > > > >1023, then I'm allowing traffic that was not specified in the lab.
Am
> I
> > >way
> > > > >off here? If so, how do I do this?
> > > > >
> > > > > Maybe the author of this practice lab didn't understand this
> > >procedure?
> > > > >
> > > > > Tony
> > > >
> > > >
> >
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 08:25:30 GMT-3