[c-nsp] ACL Filtering for Passive FTP Server..

Darryl Dunkin ddunkin at netos.net
Thu Dec 13 04:36:46 EST 2007


This one is pretty common.

Here is a good reference:
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_e
xample09186a0080100548.shtml#passiveftp 

Shows examples for both incoming and outgoing ACLs, active/passive, etc.

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Howard Leadmon
Sent: Thursday, December 13, 2007 00:43
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] ACL Filtering for Passive FTP Server..


  OK, I figure I'll toss this out, as looking around I keep seeing
configs for
the client end of Passive FTP, so that you can use CBAC or reflexive
lists for
FTP access.  Actually I think Active FTP is straight forward, just allow
ports
20 and 21 and life goes on.

 My question comes up with doing Passive FTP.  I know I can just allow
ports
greater than 1023 to hit the server and then passive operation will
work.  Is
there any easy way to do this without opening ALL of my TCP ports above
1023?

 I was thinking of using CBAC, but I am either doing something wrong, or
it's
really designed to inspect the data from the clients side to perform
it's
dynamic adjustments, not from the server side.  As any attempts I made
seemed
to blow up.  

 Oh one last twist, whatever I use needs to be applied to a Vlan
subinterface,
as I just want to apply it to say GigabitEthernet0/1.18 that feeds only
the
port that FTP server is off of on the switch, as I don't want ACL's on
the
high bandwidth inbound GE ports coming at the router.  So want something
that
can be applied on the sub-interface out to that specific server.

 Hopefully the above made sense, I probably shouldn't be debugging stuff
like
this at 4am in the morning..   LOL



---
Howard Leadmon 


_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


More information about the cisco-nsp mailing list