Hey team,
Along these same lines, my configs do not always match those of the lab task
I am taking.
Example might be that I use the match protocol ftp instead of an
access-list. Or within an access list, I will use the keyword 'ftp' and not
include ftp data. Also, sometimes I will not define the direction in both
ways, only one way.
Any comments on the different options?
Does the match protocol ftp command match both the data and control
session? Do I have to spell it completely out in order to get credit? I
think I know the answer to this ....
Many thanks team!!!
Andrew Lee Lissitz
On Sat, Aug 22, 2009 at 8:18 AM, Anantha Subramanian Natarajan <
anantha.natarajan_at_gravitant.com> wrote:
> Hi Iwan,
>
> Thank you very much for verifying the solution and explaining the
> procedure for testing the same.
>
> Thanks
>
> Regards
> Anantha Subramanian Natarajan
>
> On Sat, Aug 22, 2009 at 6:24 AM, Iwan Hoogendoorn <iwan_at_ipexpert.com>
> wrote:
>
> > Hey Anantha,
> >
> > What you are explaining above is totally correct.
> > You can simply test this by vonfiguring a FTP server on a router:
> >
> > If you want to enable a FTP server within Cisco IOS, you can use the
> > ftp-server enable configuration command followed by the ftp-server
> > topdir directory command which specifies the top-level FTP directory
> > (for example, flash: or disk0:). To authenticate the FTP users you
> > need to define the local usernames with the username user password
> > password configuration command.
> > You can put the ACL on the interface and just do a quick telnet to
> > port 21 from th eneighbouring router or another router if the route is
> > known to it ("telnet x.x.x.x ftp" and "telnet x.x.x.x ftp-data")
> >
> >
> >
> > --
> > Regards,
> >
> > Iwan Hoogendoorn
> > CCIE #13084 (R&S / Security / SP)
> > Sr. Support Engineer IPexpert, Inc.
> > URL: http://www.IPexpert.com <http://www.ipexpert.com/>
> >
> >
> >
> >
> >
> >
> >
> > On Fri, Aug 21, 2009 at 11:42 PM, Anantha Subramanian
> > Natarajan<anantha.natarajan_at_gravitant.com> wrote:
> > > Hi All,
> > >
> > > I would like to clarify below for the rules needed to apply for the
> > > access-list based on different applications/requirements.Thanks for the
> > > assistance
> > >
> > >
> > > Say the topology is as listed like R6-BB1
> > >
> > > *Requirement*
> > >
> > > 1) Allow only ftp traffic from BB1.
> > >
> > > *Assuming the solution as below*
> > >
> > > An extended access-list would be applied *inbound *on the R6 interface
> > > facing towards BB1
> > >
> > > ip access-list extended allow_in
> > > *Active FTP*
> > > 10 permit tcp any gt 1023 <inside network - inverse mask> range
> 20
> > > 21 --- For Active FTP(assuming Client is outside and server is inside)
> > > 20 permit tcp any range 20 21 <inside network -inverse mask> gt
> > 1023
> > > --For Active FTP (assuming client is inside and server is outside)
> > > *Passive FTP*
> > > 30 permit tcp any gt 1023 <inside network - inverse mask> gt 1023
> > > -For Passive FTP(Assuming client is outside and server is inside)
> > >
> > >
> > > Is the above access-list would permit both passive and active
> > FTP(including
> > > server inside or outside).Kindly correct me where I am wrong.
> > >
> > > *Note:* Ignoring the permit statements required for routing protocol or
> > any
> > > other protocol traffic between R6 and BB1 for our question
> > >
> > > Thanks
> > >
> > >
> > > Regards
> > > Anantha Subramanian Natarajan
> > >
> > >
> > > Blogs and organic groups at http://www.ccie.net
> > >
> > > _______________________________________________________________________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> >
> >
> >
> > --
> > Regards,
> >
> > Iwan Hoogendoorn
> > CCIE #13084 (R&S / Security / SP)
> > Sr. Support Engineer IPexpert, Inc.
> > URL: http://www.IPexpert.com <http://www.ipexpert.com/>
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>
-- Andrew Lee Lissitz all.from.nj_at_gmail.com Blogs and organic groups at http://www.ccie.netReceived on Sat Aug 22 2009 - 16:36:42 ART
This archive was generated by hypermail 2.2.0 : Tue Sep 01 2009 - 05:43:57 ART