Re: Access-list for FTP from Iwan Hoogendoorn on 2009-08-22 (Ccielab archives 08/2009)

From: Iwan Hoogendoorn <iwan_at_ipexpert.com>
Date: Sat, 22 Aug 2009 13:24:15 +0200

Hey Anantha,

What you are explaining above is totally correct.
You can simply test this by vonfiguring a FTP server on a router:

If you want to enable a FTP server within Cisco IOS, you can use the
ftp-server enable configuration command followed by the ftp-server
topdir directory command which specifies the top-level FTP directory
(for example, flash: or disk0:). To authenticate the FTP users you
need to define the local usernames with the username user password
password configuration command.
You can put the ACL on the interface and just do a quick telnet to
port 21 from th eneighbouring router or another router if the route is
known to it ("telnet x.x.x.x ftp" and "telnet x.x.x.x ftp-data")

-- 
Regards,
Iwan Hoogendoorn
CCIE #13084 (R&S / Security / SP)
Sr. Support Engineer  IPexpert, Inc.
URL: http://www.IPexpert.com
On Fri, Aug 21, 2009 at 11:42 PM, Anantha Subramanian
Natarajan<anantha.natarajan_at_gravitant.com> wrote:
> Hi All,
>
>  I would like to clarify below for the rules needed to apply for the
> access-list based on different applications/requirements.Thanks for the
> assistance
>
>
> Say the topology is as listed like  R6-BB1
>
> *Requirement*
>
> 1) Allow only ftp traffic from BB1.
>
> *Assuming the solution as below*
>
>  An extended access-list would be applied *inbound *on the R6 interface
> facing towards BB1
>
>    ip access-list extended allow_in
>       *Active FTP*
>      10 permit tcp any  gt 1023 <inside network - inverse mask> range 20
> 21  --- For Active FTP(assuming Client is outside and server is inside)
>      20 permit tcp any range 20 21  <inside network -inverse mask> gt 1023
> --For Active FTP (assuming client is inside and server is outside)
>      *Passive FTP*
>      30 permit tcp any gt 1023 <inside network - inverse mask> gt 1023
> -For Passive  FTP(Assuming client is outside and server is inside)
>
>
> Is the above access-list would permit both passive and active FTP(including
> server inside or outside).Kindly correct me where I am wrong.
>
> *Note:* Ignoring the permit statements required for routing protocol or any
> other protocol traffic between R6 and BB1 for our question
>
> Thanks
>
>
> Regards
> Anantha Subramanian Natarajan
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>
-- 
Regards,
Iwan Hoogendoorn
CCIE #13084 (R&S / Security / SP)
Sr. Support Engineer  IPexpert, Inc.
URL: http://www.IPexpert.com
Blogs and organic groups at http://www.ccie.net

Received on Sat Aug 22 2009 - 13:24:15 ART

This archive was generated by hypermail 2.2.0 : Tue Sep 01 2009 - 05:43:57 ART