Cisco acl to ftp server
Question:
I have setup the following ACL to forward all FTP connections to an internal server but can't connect. I have applied it to the outside interface. Is there a problem with the ACL?
access-list 101 remark Forwarding FTP to 192.168.1.25
access-list 101 permit tcp host 216.99.13.nnn host 192.168.1.25 eq ftp-data
access-list 101 permit tcp host 216.99.13.nnn host 192.168.1.25 eq ftp
access-list 101 permit ip any any
also tried
access-list 101 remark Forwarding FTP to 192.168.1.25
access-list 101 permit tcp any host 192.168.1.25 eq ftp-data
access-list 101 permit tcp any host 192.168.1.25 eq ftp
access-list 101 permit ip any any
NAT
ip nat inside source static tcp 192.168.1.25 20 interface FastEthernet4 20
ip nat inside source static tcp 192.168.1.25 21 interface FastEthernet4 21
Answer:
The ACLs don't make much sense because you're permitting ip any any in the end, so why having ACLs in the first place? Do not apply any ACLs and try to troubleshoot the issue. Can you telnet to port 21 inside your private network? Can you telne from outside? How exactly are you checking? What are configs of your inside and outside interfaces of the router?
or you can deploy route map like this:
You've picked a big hairy beast by choosing FTP to work with. FTP is a special circumstance and I'll explain why.
First of all, don't bother permitting more than port 21 for FTP, there's no benefit unless you want to open a huge range of ports for it. This will be enough to support passive mode FTP.
To support active mode FTP, you'll need protocol inspection which is a firewalling topic. You'd need to setup an MQC rig.
I recommend checking out how to make use of protocol inpsection with classmaps and policy maps to allow traffic from protocols which open up ports randomly.
Your starting point would be the following in cisco WS-C3560X-24P-L :
class-map type inspect match-any CM_FTP_FILTER
match protocol ftp
class-map match-any CM_OTHER_STUFF_TO_PASS
match ..... (you can reference access lists here)
policy-map type inspect PM_ALLOW_FTP_TRAFFIC
class type inspect CM_FTP_FILTER
pass
class CM_OTHER_STUFF_TO_PASS
pass
class class-default
drop
interface FastEthernet 0/1
service-policy type inspect PM_ALLOW_FTP_TRAFFIC