RE: Passive FTP Examples in Pratical Studies Vol. 2.

From: Scott, Tyson C (tyson.scott@hp.com)
Date: Fri Feb 27 2004 - 11:11:16 GMT-3

• Next message: Scott Morris: "RE: cat35550 qos"
• Previous message: Yasser Aly: "RE: CCIE # Association"
• Maybe in reply to: William Chen: "Passive FTP Examples in Pratical Studies Vol. 2."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

But if this was going the opposite way it would be correct but hosts
would need to be reversed in if this was an inbound list towards the
hosts. And it should not be ip tcp for sure it should just be tcp

1. permit tcp host x.x.x.x any ftp
2. permit tcp host x.x.x.x any gt 1023 established

Regards,
 
Tyson Scott
Agilent Problem Management Team
Managed Network Services
Phone: 313-583-5812
Pager: 877-997-0811
 

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Jonathan Hays
Sent: Thursday, February 26, 2004 8:04 PM
To: 'William Chen'; ccielab@groupstudy.com
Subject: RE: Passive FTP Examples in Pratical Studies Vol. 2.

you wrote:
>-----Original Message-----
>From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On
>Behalf Of William Chen
>Sent: Thursday, February 26, 2004 7:14 PM
>To: ccielab@groupstudy.com
>Subject: Passive FTP Examples in Pratical Studies Vol. 2.
>
>
>Dear all,
>
> In all the examples of passive FTP in the book of
>Ptractical Studies Vol.
>2. It states that to match the passive FTP traffic by ACL to a
>server, the
>ACL should be:
>
> 1. permit ip tcp any host x.x.x.x ftp
> 2. permit ip tcp any host x.x.x.x gt 1023 established
>
> I wonder why established is used in the statement 2, since
>in passive
>FTP, the data channel should be initiated by the client to
>server at a port
>greater than 1023.
>
>Best Regards,
>William Chen
= = =
The book is wrong. This is clearly a typo.

Step 2 states "FTP clients will connect to the FTP server using passive
FTP sessions" but the solution (shown on both pages 421 and 423) is for
*active* FTP:

access-list 103 permit tcp any host 10.54.148.15 eq ftp
access-list 103 permit tcp any host 10.54.148.15 gt 1023 established

This ACL is applied to the Priority list on Cancun, outbound toward the
FTP server. The first ACL allows initiation of the FTP Control (port 21)
TCP connection from the client to the server. In the second, erroneous
ACL the keyword "established" allows traffic that was initiated from the
server. This is incorrect since in passive FTP all TCP connections are
initiated by the client and this ACL is outbound toward the server. The
second ACL would be correct if the keyword "established" were removed so
we can allow client TCP SYN packets toward the FTP server.

See Priscilla Oppenheimer's excellent treatment of the details of FTP at

http://www.troubleshootingnetworks.com/ftpinfo.html

Jonathan

• Next message: Scott Morris: "RE: cat35550 qos"
• Previous message: Yasser Aly: "RE: CCIE # Association"
• Maybe in reply to: William Chen: "Passive FTP Examples in Pratical Studies Vol. 2."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Mar 05 2004 - 07:13:58 GMT-3