Nelluri,
Comments embedded:
On 25 Feb 2001, at 19:31, Nelluri Reddy wrote:
> I need some help with IP extended access lists.
>
> I have an FTP server on the inside and I need to allow access to it
> from the outside. There are two ports used, FTP (20) for control and
> FTP-DATA (21) for the transfer of actual data.
Actually, its the reverse, 21 for control and 20 for ftp-data.
>
> When the two sides decide to start data transfer, does the server or
> the client open the data connection (TCP)?
The client always initiates the initial session, although the client
_application_ could reside on a physical _server_. IOW, which end
is the client or server from the perspective of FTP is which end
initiates the connection to port 21 on the other end. A physical
box that you call a server could either wait passively for an FTP
connection, in which case it is an FTP server, or it could initiate an
FTP connection to another device, in which case it would be an
FTP client.
>I assume that in passive
> mode, the client opens the connection and in normal mode, the server
> opens connection.
In passive mode, the FTP-DATA session is opened from the FTP
client to the FTP server. In "standard" FTP, the FTP server opens
an active connection to the FTP client, typically from source port
20 to a randomly chosen client port.
>How is port FTP-DATA used? Is that port always used
> on the server side?
In standard FTP mode, the server port is usually port 20, although
it need not be per the RFC. In passive mode FTP, the server port
is a randomly chosen high-numbered port.
>
> access-list 101 permit tcp any host a.b.c.d eq ftp
> access-list 101 permit tcp any host a.b.c.d eq ftp-data
>
> Will the above work in all cases, where the server has the address
> a.b.c.d?
It depends on how the acl is applied, but typically if your using
standard FTP there is no need to specify the FTP-DATA session in
an inbound acl since a TCP established entry will suffice and is
usually required for other traffic.
If your using passive mode FTP, this would not suffice for an
inbound acl since the client will initiate a connection to a port
number which is randomly chosen during the FTP session.
Of course, you could use CBAC with the firewall feature set to
insure that the correct dynamic entries were created for the FTP-
DATA session.
For further info on the specifics of FTP and other standard TCP/IP
apps, I highly recommend "TCP/IP illustrated vol 1" by Richard
Stevens.
HTH,
Kent
_________________________________
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
