This should explain it ...
http://www.cisco.com/warp/public/759/ipj_2-3/ipj_2-3_oneb.html ------------------------------------------------------------------------ ------------------------------------------------------------------------ ----- Jay C Creasy Cisco Certified Network Professional + PIX Microsoft Certified Professional Inet Email [EMAIL PROTECTED] AIM ID HaltItAll Work # 713-548-3346 Home # 713-263-1939 -----Original Message----- From: Jill Johnson [mailto:[EMAIL PROTECTED]] Sent: Tuesday, October 30, 2001 11:25 PM To: [EMAIL PROTECTED] Subject: Re: FTP Server [7:24525] [ Part 1, Text/PLAIN 55 lines. ] [ Unable to print this part. ] Thank you very much for all your help. I still don't quite understand about the Passive Mode. The idea of setting up this access-list is for the users to dial in from home and to be able to do FTP to the servers at work. Thanks. Jill Jonathan Hays wrote: Priscilla Oppenheimer wrote: > If it's not passive mode, the data channel is initiated by the server from > port 20 (FTP data) to the ephemeral port provided by the client in its PORT > command. Ephemeral just means a short-lived port with a number greater than > 1023. > > If it is passive mode, then the data channel is initiated by the client > from an ephemeral port to an ephemeral port provided by the server in its > PASV command. > > In other words, access lists with FTP are tricky. > > Priscilla > > At 03:14 PM 10/30/01, Jonathan Hays wrote: > >Don't we also want a ACL line for the ftp data channel? > > > >access-list 110 permit tcp any host 192.3.10.10 eq ftp-data > > > >And if the server is using passive ftp > > > >access-list 110 permit tcp any host 192.3.10.10 gt 1023 established Oops, you're right! I'm getting a bit rusty... The "ftp-data" entry would allow data connections from an external ftp server to ftp sessions initiated by the LAN client which is not what the original poster wanted. However, the "gt 1023 established" entry should allow access for Internet clients to the LAN ftp server doing passive ftp. But it does open things up a bit too much for the comfort of most paranoid sysadmins. [EMAIL PROTECTED] _________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=24858&t=24525 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
