Thank you very much for all your help. I still don't quite understand about the Passive Mode.
The idea of setting up this access-list is for the users to dial in from home and to be able to do FTP to the servers at work. Thanks. Jill Jonathan Hays wrote: > Priscilla Oppenheimer wrote: > > > If it's not passive mode, the data channel is initiated by the server from > > port 20 (FTP data) to the ephemeral port provided by the client in its PORT > > command. Ephemeral just means a short-lived port with a number greater than > > 1023. > > > > If it is passive mode, then the data channel is initiated by the client > > from an ephemeral port to an ephemeral port provided by the server in its > > PASV command. > > > > In other words, access lists with FTP are tricky. > > > > Priscilla > > > > At 03:14 PM 10/30/01, Jonathan Hays wrote: > > >Don't we also want a ACL line for the ftp data channel? > > > > > >access-list 110 permit tcp any host 192.3.10.10 eq ftp-data > > > > > >And if the server is using passive ftp > > > > > >access-list 110 permit tcp any host 192.3.10.10 gt 1023 established > > Oops, you're right! I'm getting a bit rusty... > > The "ftp-data" entry would allow data connections from an external ftp > server to ftp > sessions initiated by the LAN client which is not what the original poster > wanted. > > However, the "gt 1023 established" entry should allow access for Internet > clients to the > LAN ftp server doing passive ftp. But it does open things up a bit too much > for the > comfort of most paranoid sysadmins. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=24749&t=24525 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]