Michael Williams wrote: > That would work, although you don't need the "deny ip any any" as there is > always an implied "deny all" at the end of the access list. > > However, to protect yourself from unwanted traffic/attacks, you can changed > your access list to only allow traffic incoming on port 21 (eq ftp): > > access-list 110 permit tcp any host 192.3.10.10 eq ftp >
Don't we also want a ACL line for the ftp data channel? access-list 110 permit tcp any host 192.3.10.10 eq ftp-data And if the server is using passive ftp access-list 110 permit tcp any host 192.3.10.10 gt 1023 established Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=24691&t=24525 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
