From: Johnson, Charles (Charles.Johnson@xxxxxxxxxx)
Date: Thu Oct 26 2000 - 12:26:45 GMT-3
Jack,
The transfer is sourced from port 20 on the ftp server. I can't find a referen
ce to which high port it will go to. Not the one the original request came fro
m since it is in use. Most likely the next higher port not in use. It may var
y between different implementations.
For this exercise, I would use and access-group in:
ip access-list extended ftp
permit tcp any eq 21 <ethernet subnet & wildcard bits> established
permit tcp any eq 20 <ethernet subnet & wildcard bits>
Which is the last thing Tony came up with.
Charles
-----Original Message-----
From: Jack Heney [mailto:jheneyccie@hotmail.com]
Sent: Wednesday, October 25, 2000 6:53 PM
To: ramyers@cisco.com; aolzak@buckeye-express.com;
ccielab@groupstudy.com
Subject: RE: access-list help
On a somewhat related note, I know FTP uses port 21 for control and port 20
for data. Let's say a host establishes an FTP connection from port 1024 to
port 21 and request a file transfer. Is the resultant transfer sourced from
or destined for port 20? And if it is sourced from 20, is the destination
the same port as the original request (i.e. 1024)?
Thanks,
jack
>From: "Rasheim Myers" <ramyers@cisco.com>
>Reply-To: "Rasheim Myers" <ramyers@cisco.com>
>To: "Tony Olzak" <aolzak@buckeye-express.com>, <ccielab@groupstudy.com>
>Subject: RE: access-list help
>Date: Wed, 25 Oct 2000 18:23:33 -0400
>
>Hi Tony,
>
>The following inbound access-list line should help solve that problem:
>access-list 100 permit tcp any <host ip range> established
>note:
>I don't think you need the "eq ftp" for this line
>
>This will allow the "server" that you have established a connection with to
>return packets to your hosts. You used the telnet tcp port (23) in your
>email. That is probably just a typo. Remember that FTP uses 2 ports (21
>and 20).
>
>I hope this information helps out.
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
>Tony Olzak
> Sent: Wednesday, October 25, 2000 6:03 PM
> To: ccielab@groupstudy.com
> Subject: access-list help
>
>
> This should be simple, and I'm probably making this way too difficult,
>but
>how would you go about this access-list?
>
> This is an inbound access-list on a serial interface. The one line I'm
>having trouble with is this:
>
> FTP sessions are only allowed if established by a host on the router's
>ethernet segment.
>
> OK, that's great. Any host on the ethernet segment will send packets to
>port 23, but returning packets will be to whatever port above 1023 that the
>host chose to use. If I just say:
>
> access-list 100 permit tcp any <host ip range> establish eq ftp
>
> This would only allow packets IN that are destined for port 23 and have
>the ACK bit. This does me no good because the source host is not using port
>23 when trying to initiate an FTP session. If I say to any port greater
>than
>1023, then I'm allowing traffic that was not specified in the lab. Am I way
>off here? If so, how do I do this?
>
> Maybe the author of this practice lab didn't understand this procedure?
>
> Tony
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 08:25:30 GMT-3