• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1254
  • Last Modified:

FTP and Cisco ACL's

How do I make my ACL application aware?  We use port mode for FTP internally and it seems the data connection can't be established.  You can login to the FTP server okay, but any request to the server that requires the data pipe is failing.  The ACL is allowing tcp ports 20 & 21.  However with port mode, I doubt we are actually using port 20 for data.

access-list 101 permit tcp any any eq ftp
access-list 101 permit tcp any any eq ftp-data

All my other services are working great, just can't get FTP to do its thing.  Any help is appreciated.

1 Solution
Is the ACL being applied inbound, or outbound?

Try allowing anything established:

access-list 101 permit tcp any any established

add this line to the bottom of your acl:

access-list 101 deny any any log

This way you can watch the log and see exactly what is being denied and adjust accordingly.
After some research, i found that port-mode used high numbered ports, so you may need to add this line, if the established keyword does not help:

access-list 101 permit tcp any any gt 1024

mangiaAuthor Commented:

The ACL is on our WAN interface, for inbound.  The first line of the ACL is,

access-list 101 permit tcp any any established

Doesn't the server send a passive open back to the client to open the data pipe? This should be a SYN packet and not an established connection.  Plus it's not cool to open 64511 ports to get FTP working.

Is CBAC needed in this case?

The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

Are you trying to help you internal users get to outside FTP sites, or outside users to get to your FTP site?
The simplest thing for the internal users is to switch to passive mode to force the use of port 20 for data
This is a pretty good resource about FTP and firewalls.  


and this one is not bad either.

mangiaAuthor Commented:
This is for internal users to access outside ftp sites.  Plus MS command line ftp, which I use, does not support pasv mode.

I need to rethink my layered security plan.  I may be effectively negating the investment in our PIX by getting so granular with the router ACL.  I think my Internet router should filter RFC1918 and permit only company-owned addresses outbound.

I agree with your assessment. If you have this access-list assigned to the serial interface INbound, that is the wrong place to have it anyway. Let the PIX be the firewall and just use the most basic security on the edge router.

Check out the Executive Summary of the Cisco Router guide here.

This old question needs to be finalized -- accept an answer, split points, or get a refund.  For information on your options, please click here-> http:/help/closing.jsp#1 
Post your closing recommendations!  No comment means you don't care.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now