Mishra, I had to go back and read the section because I have not read it before. So my answer was based on the understanding that there were only clients on the subnet. Since the question states there are servers on the subnet you are correct in the understanding that ftp-data will need to be allowed from the servers out.
So acl should be Permit tcp 150.100.40.0 0.0.0.255 any eq www Permit tcp 150.100.40.0 0.0.0.255 any range ftp-data ftp Permit tcp 150.100.40.0 0.0.0.255 eq ftp-data any Permit tcp 150.100.40.0 0.0.0.255 any established Permit ospf any any Regards, Tyson Scott - CCIE #13513 R&S and Security Technical Instructor - IPexpert, Inc. Telephone: +1.810.326.1444 Cell: +1.248.504.7309 Fax: +1.810.454.0130 Mailto: [EMAIL PROTECTED] Join our free online support and peer group communities: http://www.IPexpert.com/communities IPexpert - The Global Leader in Self-Study, Classroom-Based, Video On Demand and Audio Certification Training Tools for the Cisco CCIE R&S Lab, CCIE Security Lab, CCIE Service Provider Lab , CCIE Voice Lab and CCIE Storage Lab Certifications. -----Original Message----- From: Suresh Mishra [mailto:[EMAIL PROTECTED] Sent: Thursday, July 17, 2008 5:51 PM To: Tyson Scott Cc: osl Subject: Re: [OSL | CCIE_RS] VOl1-Sec 13-task 13.2 Hi Scott, I think the line "permit tcp 150.100.40.0 0.0.0.255 eq ftp-data any" is only applicable to the connection initiated by the server and it will be blocked by the established keyword in the outgoing access-list. Server initiates the connection using source port 21 back to the client as per the definition of active FTP. This information is based on the explanation in richard deals book and cisco cookbook by kevin. Suresh On Thu, Jul 17, 2008 at 5:42 PM, Tyson Scott <[EMAIL PROTECTED]> wrote: > this > permit tcp 150.100.40.0 0.0.0.255 any established > > accomplishes the same thing as > permit tcp 150.100.40.0 0.0.0.255 eq ftp-data any > permit tcp 150.100.40.0 0.0.0.255 eq www any > > Depends on how string the requirement is > > But the first line will match anything that has the ak or fin bit set in the > packet and allow it thru. > > Regards, > > Tyson Scott - CCIE #13513 R&S and Security > Technical Instructor - IPexpert, Inc. > > Telephone: +1.810.326.1444 > Cell: +1.248.504.7309 > Fax: +1.810.454.0130 > Mailto: [EMAIL PROTECTED] > > Join our free online support and peer group communities: > http://www.IPexpert.com/communities > > IPexpert - The Global Leader in Self-Study, Classroom-Based, Video On Demand > and Audio Certification Training Tools for the Cisco CCIE R&S Lab, CCIE > Security Lab, CCIE Service Provider Lab , CCIE Voice Lab and CCIE Storage > Lab Certifications. > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Suresh Mishra > Sent: Wednesday, July 16, 2008 4:20 PM > To: osl > Subject: [OSL | CCIE_RS] VOl1-Sec 13-task 13.2 > > Hello all, > > This task requires that FTP/web traffic be allowed to go out from the > network. The access-list that configures it in P.G is as follows > > ip access-list extended IE4ME > permit tcp 150.100.40.0 0.0.0.255 any eq www > permit tcp 150.100.40.0 0.0.0.255 any eq ftp > permit tcp 150.100.40.0 0.0.0.255 any eq ftp-data > remark Those three lines cover stuff the users generate > permit tcp 150.100.40.0 0.0.0.255 any established > remark That line is necessary for the WWW/FTP server's responses > since ports vary > permit ospf any any > > I think the user part of the access-list assumes that users will be > using active FTP and will have connection to port 20 & 21 on the > server. > So the second and third line of the list are good > However, for the server part it assumes standard FTP , in which user > initiates connection to randomly selected port on the server and to > allow the reply the server part of the list allows all ports as reply > to the user using established Keyword. > > I think this problem can only be solved if we consider either one of > the two FTP modes or both the FTP modes. Considering both the FTP > modes requires us to allow all the ports in both the directions > > If we consider active FTP in that the server part will look something > like this and will be much simpler. > > permit tcp 150.100.40.0 0.0.0.255 eq ftp-data any > permit tcp 150.100.40.0 0.0.0.255 eq www any > > I would like to understand the reason for using different modes for > user and servers > because it seems like user part is based on active FTP and server > part is based on passive FTP. > > Thanks > Suresh > >
