Hello all, This task requires that FTP/web traffic be allowed to go out from the network. The access-list that configures it in P.G is as follows
ip access-list extended IE4ME permit tcp 150.100.40.0 0.0.0.255 any eq www permit tcp 150.100.40.0 0.0.0.255 any eq ftp permit tcp 150.100.40.0 0.0.0.255 any eq ftp-data remark Those three lines cover stuff the users generate permit tcp 150.100.40.0 0.0.0.255 any established remark That line is necessary for the WWW/FTP server's responses since ports vary permit ospf any any I think the user part of the access-list assumes that users will be using active FTP and will have connection to port 20 & 21 on the server. So the second and third line of the list are good However, for the server part it assumes standard FTP , in which user initiates connection to randomly selected port on the server and to allow the reply the server part of the list allows all ports as reply to the user using established Keyword. I think this problem can only be solved if we consider either one of the two FTP modes or both the FTP modes. Considering both the FTP modes requires us to allow all the ports in both the directions If we consider active FTP in that the server part will look something like this and will be much simpler. permit tcp 150.100.40.0 0.0.0.255 eq ftp-data any permit tcp 150.100.40.0 0.0.0.255 eq www any I would like to understand the reason for using different modes for user and servers because it seems like user part is based on active FTP and server part is based on passive FTP. Thanks Suresh
