Ben Nagy wrote:
>
> FTP Passive mode should work through those ACLs as well. Passive just means
> that the client starts the ftp-data connection instead of the server.
Actually, this is exactly why it will not work. ;)
The listed ACL's are:
> int ser0
> ip access-group 110 in
> ...
>
> ...
> access-list 110 permit tcp any eq ftp host X.X.X.X established
> access-list 110 permit tcp any eq ftp-data host X.X.X.X
> ...
> access-list 110 deny ip any any
You are 100% correct that passive is established from client to server.
The problem is its established from one upper port to another. There is
nothing here to allow inbound SYN=1 < 1023. To fix this, ports 1023-4096
need to be opened inbound to the FTP server as well.
Just make sure the FTP server does not have anything else listening in
this range (i.e. do a "netstat -a" or "lsof -i" on the FTP server
first). If you do have ports open in this range, create ACL's to block
access to them prior to opening 1023-4096.
Also, the second rule can be changed to "established" for increased
security since in active mode the connection will originate from the
server. Anything hitting this rule should have ACK=1.
Finally, I assume there is also an ACL:
access-list 110 permit tcp any eq ftp host X.X.X.X
or similar as you need to let in SYN=1 in order to establish the control
channel in the first place. If this is the case, the above listed
"establish" rule is redundant.
HTH,
Chris
--
**************************************
[EMAIL PROTECTED]
* Mastering Cisco Routers
http://www.amazon.com/exec/obidos/ASIN/078212643X/
* Mastering Network Security
http://www.amazon.com/exec/obidos/ASIN/0782123430/
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
