[ Part 1, Text/PLAIN 55 lines. ]
[ Unable to print this part. ]
Thank you very much for all your help.
I still don't quite understand about the Passive Mode.
The idea of setting up this access-list is for the users to dial in from
home and to be able to do FTP to the servers at work.
Thanks.
Jill
Jonathan Hays wrote:
Priscilla Oppenheimer wrote:
> If it's not passive mode, the data channel is initiated by
the server from
> port 20 (FTP data) to the ephemeral port provided by the
client in its PORT
> command. Ephemeral just means a short-lived port with a
number greater than
> 1023.
>
> If it is passive mode, then the data channel is initiated
by the client
> from an ephemeral port to an ephemeral port provided by the
server in its
> PASV command.
>
> In other words, access lists with FTP are tricky.
>
> Priscilla
>
> At 03:14 PM 10/30/01, Jonathan Hays wrote:
> >Don't we also want a ACL line for the ftp data channel?
> >
> >access-list 110 permit tcp any host 192.3.10.10 eq
ftp-data
> >
> >And if the server is using passive ftp
> >
> >access-list 110 permit tcp any host 192.3.10.10 gt 1023
established
Oops, you're right! I'm getting a bit rusty...
The "ftp-data" entry would allow data connections from an
external ftp
server to ftp
sessions initiated by the LAN client which is not what the
original poster
wanted.
However, the "gt 1023 established" entry should allow access
for Internet
clients to the
LAN ftp server doing passive ftp. But it does open things up
a bit too much
for the
comfort of most paranoid sysadmins.
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=24742&t=24525
--------------------------------------------------
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to
[EMAIL PROTECTED]
