From: David Hurtado (deivi78@hotmail.com)
Date: Mon Mar 01 2004 - 13:52:55 GMT-3
Hello everybody,
I don't think that the following inbound ACL would be correct to allow
the communication between FTP passive client and server (supposing that
the server is outside the interface and its IP address is X.X.X.X)
1. permit tcp host x.x.x.x any ftp
2. permit tcp host x.x.x.x any gt 1023 established
In FTP passive mode, the client never uses port 20 nor port 21, so the
first statement would be useless. Please, tell me if i'm wrong.
Thanks for the help
>From: "Scott, Tyson C" >Reply-To: "Scott, Tyson C" >To: "Jonathan Hays"
, "William Chen" , >Subject: RE: Passive FTP Examples in Pratical
Studies Vol. 2. >Date: Fri, 27 Feb 2004 08:11:16 -0600 > >But if this was
going the opposite way it would be correct but hosts >would need to be
reversed in if this was an inbound list towards the >hosts. And it
should not be ip tcp for sure it should just be tcp > >1. permit tcp
host x.x.x.x any ftp >2. permit tcp host x.x.x.x any gt 1023 established
> >Regards, > >Tyson Scott >Agilent Problem Management Team >Managed
Network Services >Phone: 313-583-5812 >Pager: 877-997-0811 > >
>-----Original Message----- >From: nobody@groupstudy.com
[mailto:nobody@groupstudy.com] On Behalf Of >Jonathan Hays >Sent:
Thursday, February 26, 2004 8:04 PM >To: 'William Chen';
ccielab@groupstudy.com >Subject: RE: Passive FTP Examples in Pratical
Studies Vol. 2. > >you wrote: > >-----Original Message----- > >From:
nobody@groupstudy.com [mailto:nobody@groupstudy.com] On > >Behalf Of
William Chen > >Sent: Thursday, February 26, 2004 7:14 PM > >To:
ccielab@groupstudy.com > >Subject: Passive FTP Examples in Pratical
Studies Vol. 2. > > > > > >Dear all, > > > > In all the examples of
passive FTP in the book of > >Ptractical Studies Vol. > >2. It states
that to match the passive FTP traffic by ACL to a > >server, the > >ACL
should be: > > > > 1. permit ip tcp any host x.x.x.x ftp > >
2. permit ip tcp any host x.x.x.x gt 1023 established > > > > I
wonder why established is used in the statement 2, since > >in passive >
>FTP, the data channel should be initiated by the client to > >server at
a port > >greater than 1023. > > > >Best Regards, > >William Chen >= = =
>The book is wrong. This is clearly a typo. > >Step 2 states "FTP clients
will connect to the FTP server using passive >FTP sessions" but the
solution (shown on both pages 421 and 423) is for >*active* FTP: >
>access-list 103 permit tcp any host 10.54.148.15 eq ftp >access-list 103
permit tcp any host 10.54.148.15 gt 1023 established > >This ACL is
applied to the Priority list on Cancun, outbound toward the >FTP server.
The first ACL allows initiation of the FTP Control (port 21) >TCP
connection from the client to the server. In the second, erroneous >ACL
the keyword "established" allows traffic that was initiated from the
>server. This is incorrect since in passive FTP all TCP connections are
>initiated by the client and this ACL is outbound toward the server. The
>second ACL would be correct if the keyword "established" were removed so
>we can allow client TCP SYN packets toward the FTP server. > >See
Priscilla Oppenheimer's excellent treatment of the details of FTP at >
>http://www.troubleshootingnetworks.com/ftpinfo.html > >Jonathan >
>_______________________________________________________________________
>Please help support GroupStudy by purchasing your study materials from:
>http://shop.groupstudy.com > >Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html >
>_______________________________________________________________________
>Please help support GroupStudy by purchasing your study materials from:
>http://shop.groupstudy.com > >Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html
------------------------------------------------------------------------
?Vas a comprar algo a travis de Internet? Ordinalo por el mejor precio en
MSN Compras.
This archive was generated by hypermail 2.1.4 : Thu Apr 01 2004 - 08:15:11 GMT-3