From: Petr Lapukhov (petr@internetworkexpert.com)
Date: Thu Jun 22 2006 - 16:11:30 ART
Reflexive ACLs work nice with passive FTP, but they are not of a big
help with active mode. .
The best thing to track active mode connections is CBAC feature :)
-- Petr Lapukhov, CCIE #16379 petr@internetworkexpert.comInternetwork Expert, Inc. http://www.InternetworkExpert.com Toll Free: 877-224-8987 Outside US: 775-826-4344
2006/6/22, Navin MS <navin_ms07@yahoo.com>: > > Group, > > Is it possible that we can use a reflexive ACL for this ? > > IMP, the inbound and outbound traffic is just the mirror of each other. > So just "reflect" in the outbound ACL and do an "evaluate" in the inbound > ? > > Does that simplify this task ? > > Thanks, > Naveen. > > > > --- Chris Lewis <chrlewiscsco@gmail.com> wrote: > > > Ignore my comment on this, I need to clean my glasses so I can read the > > diagram properly. > > > > Chris > > > > > > On 6/22/06, Popgeorgiev Nikolay <nikolay.popgeorgiev@siemens.com> wrote: > > > > > > Chris, > > > > > > Sorry but can you explain me how exactly port 20 is used in the > PASSIVE > > > mode of ftp. Maybe I don't understand something ? > > > > > > > > > According to the access lists matching both types of ftp it should be > > > something like this: > > > > > > Active > > > > > > Access-list 101 permit tcp host mypc host SRV eq 21 > > > Access-list 101 permit tcp host mypc host SRV eq 20 > > > > > > Access-list 102 permit tcp host SRV eq 21 host mypc > > > Access-list 102 permit tcp host SRV eq 20 host mypc > > > > > > > > > Passive > > > > > > Access-list 101 permit tcp host mypc host SRV eq 21 > > > Access-list 101 permit tcp host mypc host SRV gt 1023 > > > > > > Access-list 102 permit tcp host SRV eq 21 host mypc > > > Access-list 102 permit tcp host SRV gt 1023 host mypc > > > > > > > > > > > > Best, > > > Nick > > > > > > > > > > > > > > > -----Original Message----- > > > From: Chris Lewis [mailto: chrlewiscsco@gmail.com] > > > Sent: Thursday, June 22, 2006 4:00 AM > > > To: Plank, Jason > > > Cc: Ken; Cisco certification > > > Subject: Re: FTP connection type > > > > > > Well, both passive and active use ports 20 and 21. > > > > > > > > > > http://www.cisco.com/web/about/ac123/ac147/ac174/ac199/about_cisco_ipj_archive_article09186a00800c85a7.html > > > > > > > > > Provides a full description. > > > > > > Chris > > > > > > > > > On 6/21/06, Plank, Jason <JPlank@concordefs.com> wrote: > > > > > > > > It means ACTIVE FTP, which uses TCP ports 20/21. > > > > > > > > ------------------- > > > > J. Marshall Plank > > > > Network Engineer > > > > 101 Bellevue Parkway > > > > Wilmington, DE 19809 > > > > E-mail: JPlank@concordefs.com > > > > Phone: 302-793-5913 > > > > > > > > > > > > -----Original Message----- > > > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com ] On > Behalf Of > > > > Ken > > > > Sent: Wednesday, June 21, 2006 6:11 PM > > > > To: Cisco certification > > > > Subject: FTP connection type > > > > > > > > Hello, > > > > > > > > When there is a statement, "suppose that this FTP server does not > > > > support PASV FTP connection", what kind of difference does it make > > > > in the ACL configuration? > > > > > > > > I am referring to the QoS question 8.3 in Lab 2 of IE work book. > > > > > > > > Thanks, > > > > > > > > > _______________________________________________________________________ > > > > Subscription information may be found at: > > > > http://www.groupstudy.com/list/CCIELab.html > > > > > > > > ----------------------------------------- > > > > The information in this message may be proprietary and/or > > > > confidential, and protected from disclosure. If the reader of this > > > > message is not the intended recipient, or an employee or agent > > > > responsible for delivering this message to the intended recipient, > > > > you are hereby notified that any dissemination, distribution or > > > > copying of this communication is strictly prohibited. If you have > > > > received this communication in error, please notify First Data > > > > immediately by replying to this message and deleting it from your > > > > computer. > > > > > > > > > _______________________________________________________________________ > > > > Subscription information may be found at: > > > > http://www.groupstudy.com/list/CCIELab.html > > > > > > > _______________________________________________________________________ > > > Subscription information may be found at: > > > http://www.groupstudy.com/list/CCIELab.html > > > > _______________________________________________________________________ > > Subscription information may be found at: > > http://www.groupstudy.com/list/CCIELab.html > > > > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com > > _______________________________________________________________________ > Subscription information may be found at: > http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Sat Jul 01 2006 - 07:57:33 ART