need ACL for access FTP site

I am trying to access FTP server from my network.
Traffic goes through a vpn tunnel
There is a firewall in front of the ftp server.
When we remove all ACL we are able to upload / wget files
When i add ACL i get the following   "..A remote host refused an attempted connect operation."  


I have tried the following

110 permit ip host x.y.z.w  a.b.c.0 0.0.0.255      got same error

tried

110 permit ip host x.y.z.w  eq ftp a.b.c.0 0.0.0.255      got same error
115 permit ip host x.y.z.w  eq ftp-data a.b.c.0 0.0.0.255      got same error


any ideas ?
c_hocklandAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

c_hocklandAuthor Commented:
also when i put the

110 permit ip host x.y.z.w  a.b.c.0 0.0.0.255      got same error

i dont see traffic dropped

tx06r#sho log | inc 10.221.64.17

tx06r#
0
c_hocklandAuthor Commented:
actually i take it back , i see packets dropped from the server

Oct  2 14:00:27: %SEC-6-IPACCESSLOGP: list OXID denied tcp x.y.z.w (65206) -> a.b.c..19(51480), 1 packet
0
Patrick BogersDatacenter platform engineer LindowsCommented:
Hi

Assuming this is a cisco solution what if you try?

access-list 110 permit host x.y.z.w eq ftp any
access-list 110 permit host x.y.z.w eq ftp-data any

packets dropped from the server? So traffic is passing the router?
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
c_hocklandAuthor Commented:
i tried this acl and got the same error.

i just noticed that packets are dropped from another subnet

instead of

Oct  2 14:00:27: %SEC-6-IPACCESSLOGP: list OXID denied tcp x.y.z.w (65206) -> a.b.c..19(51480), 1 packet

i saw

Oct  2 14:00:27: %SEC-6-IPACCESSLOGP: list OXID denied tcp x.y.z.w (65206) -> a.b.D..19(51480), 1 packet


a.b.c.19  is different than a.b.d.19  so i think they are using multiple subnets.

i am adding this subnet to the aCl and will test,.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.