In general when you apply an access list the implicit script at the end of the
access list is "deny any". If you want to allow specific traffic you must
explicitly state it at the end of the access-list statements, which you did.
I'm confused with your use of ip number on the access list, here's what I got:
ip access-list extended denyftp
deny tcp any any eq 21
deny tcp any any eq 20
also, I would put the souce and destination ip in the statment:
deny tcp any 128.0.0.0 0.255.255.255 eq 20
deny tcp any 128.0.0.0 0.255.255.255 eq 21
Also, the default direction on a port interface is "out" if you don't specify
it.
The word "reflective" escapes me. I'm only MCSE + I & CCNA, so my knowledge is
limited.
"Lowenstein, Elise" wrote:
> I am trying to create an access list that will keep people that are not
> without our subnets from
> ftp(ing) to a specific server.
>
> Is it necessary for me to permit the subnets within out domain? or..can I
> just use something like this?
>
> ip access-list extended noftp
>
> deny tcp any any 128.*.*.* 0.0.0.0 eq 20
> deny tcp any any 128.*.*.* 0.0.0.0 eq 21
> permit ip any any
>
> interface ethernet *
> ip access-group noftpweb in
>
> Is it necessary to use a reflexive access list in order to allow internal
> ftp?
>
> thanks,
> Elise
>
> ___________________________________
> UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
> FAQ, list archives, and subscription info: http://www.groupstudy.com
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
> ---
___________________________________
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
