Cisco acl to ftp server

Published on by dellpe

Question:

I have setup the following ACL to forward all FTP connections to an internal server but can't connect. I have applied it to the outside interface. Is there a problem with the ACL?

access-list 101 remark Forwarding FTP to 192.168.1.25

access-list 101 permit tcp host 216.99.13.nnn host 192.168.1.25 eq ftp-data

access-list 101 permit tcp host 216.99.13.nnn host 192.168.1.25 eq ftp

access-list 101 permit ip any any

also tried

access-list 101 remark Forwarding FTP to 192.168.1.25

access-list 101 permit tcp any host 192.168.1.25 eq ftp-data

access-list 101 permit tcp any host 192.168.1.25 eq ftp

access-list 101 permit ip any any

NAT

ip nat inside source static tcp 192.168.1.25 20 interface FastEthernet4 20

ip nat inside source static tcp 192.168.1.25 21 interface FastEthernet4 21

Answer:

The ACLs don't make much sense because you're permitting ip any any in the end, so why having ACLs in the first place? Do not apply any ACLs and try to troubleshoot the issue. Can you telnet to port 21 inside your private network? Can you telne from outside? How exactly are you checking? What are configs of your inside and outside interfaces of the router?

or you can deploy route map like this:

You've picked a big hairy beast by choosing FTP to work with. FTP is a special circumstance and I'll explain why.

First of all, don't bother permitting more than port 21 for FTP, there's no benefit unless you want to open a huge range of ports for it. This will be enough to support passive mode FTP.

To support active mode FTP, you'll need protocol inspection which is a firewalling topic. You'd need to setup an MQC rig.

I recommend checking out how to make use of protocol inpsection with classmaps and policy maps to allow traffic from protocols which open up ports randomly.

Your starting point would be the following in cisco WS-C3560X-24P-L :

class-map type inspect match-any CM_FTP_FILTER

match protocol ftp

class-map match-any CM_OTHER_STUFF_TO_PASS

match ..... (you can reference access lists here)

policy-map type inspect PM_ALLOW_FTP_TRAFFIC

class type inspect CM_FTP_FILTER

pass

class CM_OTHER_STUFF_TO_PASS

pass

class class-default

drop

interface FastEthernet 0/1

service-policy type inspect PM_ALLOW_FTP_TRAFFIC

Published on Cisco 3560X

To be informed of the latest articles, subscribe:
You might also like:
VLANs, Trunk and Access ports
VLANs, Trunk and Access ports
Intervlan Switching
Intervlan Switching
VTP Pruning issues
VTP Pruning issues
Telnet issue on Cisco L3 switch
Telnet issue on Cisco L3 switch
Cisco 3560 advanced ip services image
Storm controll and unicast flooding
Comment on this post