[c-nsp] route-map ftp connection
Darryl Dunkin
ddunkin at netos.net
Tue Oct 14 20:24:26 EDT 2008
This is a good reference for matching active vs passive FTP connections:
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_e
xample09186a0080100548.shtml#passiveftp
Basically:
permit tcp any any eq ftp
permit tcp any any gt 1024
However, this has the potential to grab traffic destined to other ports
that is not FTP traffic (if you can stand some mis-matching, this is
acceptable). It would be safer if you knew the destination FTP server to
specify it instead:
permit tcp any host a.b.c.d eq ftp
permit tcp any host a.b.c.d gt 1024
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Dan Letkeman
Sent: Tuesday, October 14, 2008 16:54
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] route-map ftp connection
Hello,
I have a route-map on my 2811 router that sets the next hop for ftp
traffic:
route-map inet permit 100
match ip address ftp
set ip next-hop 192.168.11.101
The access list looks like this:
1 permit tcp any any eq ftp
2 permit tcp any any eq ftp-data
3 deny ip any any
This seem's to work well for active ftp connections but passive ftp
connections don't seem to make a connection. Is there something else
I can do to make this work with passive ftp connections?
Thanks,
Dan.
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list