From: Winston V. Shaw (wvshaw@bellsouth.net)
Date: Sat Feb 07 2004 - 14:11:52 GMT-3
Hello Arvind,
Since the difference between Active and Passive FTP really lies with the Server opening a port 20 for data connections in Active mode, I would use the following;
access-list 100 deny tcp any eq ftp-data any
access-list 100 permit ip any any
ip access-group 100 out ( if you are applying in respect to the server )
ip access-group 100 in ( if you are applying in respect to the clients )
Using specific networks or hosts instead of "any" would be a good idea if they are given in the scenario. There are probably many other ways to do this but this is the only way I could tnink of to do it quickly and meet the requirement.
WVShaw
CCIE#7991
>
> From: "Arvind Yadav" <arvindyadav@comcast.net>
> Date: 2004/02/07 Sat AM 12:22:09 EST
> To: <ccielab@groupstudy.com>
> Subject: Passive FTP
>
> Requirement is to allow passive FTP
>
> Is this the correct ACL or I have to use reflexive ACL or CBAC
>
> access-list 100 deny tcp any any eq ftp-data
> access-list 100 permit tcp any any eq ftp
> access-list 100 permit tcp any any gt 1023
>
> _______________________________________________________________________
> Please help support GroupStudy by purchasing your study materials from:
> http://shop.groupstudy.com
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Fri Mar 05 2004 - 07:13:47 GMT-3