From: Gregory W. Posey Jr. (gposey@xxxxxxxx)
Date: Mon May 13 2002 - 10:19:27 GMT-3
I'm pretty sure that ftp-data (20) is the source port that the server
(150.10.1.10) uses to go back to the client. Thus the destination port
going OUT from the server would be something > 1023. But that would
make the second line of the access list be...
Permit tcp 132.31.5.16 0.0.0.15 gt 1023 host 150.10.1.10 eq ftp-data
Unless I'm way off base as far as FTP goes (or unless they're talking
about PASV FTP, in which the client side initiates the data connection
as well as the control connection, and it goes to a "high port" on the
server - which would make the 2nd line they have correct).
Thank you,
Greg Posey Jr.
CCIE #7981
CSS1
CCNP - Voice Access Specialist
M.S. EE
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
li jian hua
Sent: Monday, May 13, 2002 3:16 AM
To: ccielab@groupstudy.com
Subject: use access-list to control ftp
Hi group,
Page 1025 of CCIE practical studies uses the following to control Ftp:
ip access-list extended allow-ftp-in
permit tcp 132.31.5.16 0.0.0.15 host 150.10.1.10 eq ftp
permit tcp 132.31.5.16 0.0.0.15 host 150.10.1.10 gt 1023
And the page says using "eg ftp-data" is wrong.
Please confirm.
rgds
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:58:55 GMT-3