The "classic" Cisco ACL is:
permit tcp any eq ftp-data host [internal-ftp-host] gt 1023
This allows internal users to use active FTP. Basically, when the PORT
command is issued the _outside_ host tries to connect back to us on the high
port.
To allow access to an _internal_ FTP server you should only need to allow
port 21 in (ftp control) and any established traffic. In this case, the
outside host connects to us, issues the PORT command and we then connect
_out_ to them. We only need to make sure that the _responses_ to that
traffic gets back in. Those ACLs look a bit like:
permit tcp any host [ftp-server] eq ftp
permit tcp any host [ftp-server] eq ftp-data established
This is assuming our FTP server plays by the rules. If it's not actually
using the ftp-data port as the source to resond to the PORT command then
things are all screwed up and may be broken at either end.
What does that mean for you? It sounds like your router ACLs are probably
right. To host an internal FTP server you should only need to allow people
_in_ to ports 20/21. You may have a deeper problem.
Of course, the person who suggested using reflexive ACLs gets more points
because CBAC is generally much cooler than "standard" ACLs.
Cheers,
--
Ben Nagy
Network Consultant, Volante IT
PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520
> -----Original Message-----
> From: David Shackelford [mailto:[EMAIL PROTECTED]]
> Sent: Friday, 7 July 2000 1:21 AM
> To: [EMAIL PROTECTED]
> Subject: Passive Mode FTP usage & access-lists
>
>
> I have been looking at the RFC (1579) relating to ftp PASV and router
> access-lists and had a few questions related to a problem I'm
> encountering.
>
> I've got a FTP server running IIS 4.0 in my DMZ (which is
> created/protected
> by a PIX). I recently changed my Cisco router access-list to
> deny all but
> the protocols I need for business. I'm allowing TCP 20 and 21
> in, but many
> ftp operations are failing.
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
