Priscilla Oppenheimer wrote: > From a book that I am working on. The figures would help, but you'll have > to buy the book for that! ;-)
Thanks. Good info! And a good reminder for people like me who have been working on non-Cisco projects and are getting rusty on our access list skills. 8-) For closure (often synonymous with "getting the last word" ) I will work through the typical FTP access list entries in light of Priscilla's excellent description. Experienced folks will probably be bored reading this and I tend to be repetitive for the sake of beginners (but I welcome comments of any type from anyone). Recall that our scenario involves giving Internet users access to the FTP server sitting on our LAN. Let's assume the access list will be applied with "access-group in" to the router's WAN connection, say serial 0. Let's start with the Active mode case. Referring to Priscilla's description, in step 1 the FTP conversation is initiated from the Internet client using an ephemeral source port (greater than 1023) to the FTP server (192.3.10.10) listening on port 21 (destination port). Since we need to allow that first TCP SYN to come through we cannot use the "established" keyword. The "any" in our access list is for the Internet client and "192.3.10.10" is the FTP server. The first access list entry is access-list 110 permit tcp any gt 1023 host 192.3.10.10 eq 21 Now for the ftp data connection. In step 4 the client sends the PORT command to the FTP server along with the ephemeral port number to be used for the FTP data (port 20) connection. In step 5 the FTP server on the LAN initiates the TCP connection (SYN) to the Internet-based client. This initial packet will not need an access list entry since there is no access list on packets going _out_ serial 0, only for those coming in. However, we must let the client SYN ACK response through (and other port 20 packets from the Internet). At this point, the client's packets will obviously have the ACK (or RST) bit set and will use source port gt 1023, destination port 20. The necessary access list entry is access-list 110 permit tcp any gt 1023 host 192.3.10.10 eq 20 established In the case of Passive mode, the client initiates the data connection so we can't use the "established" keyword, as I mistakenly did in a previous post. In passive mode step 4 the Internet client issues the PASV command and the server supplies an ephemeral port to initiate the connection. To let this packet into serial 0 on our router the access list entry is access-list 110 permit tcp any gt 1023 host 192.3.10.10 gt 1023 ----- Let's look at the reverse scenario, which is also very common. Suppose we were trying to allow FTP access from clients on an internal network (say 192.3.10.0/24) to FTP servers outside on the Internet. Let's keep our focus on the packets coming in and use the same "access-group in" on serial 0 as before. In this case "any" refers to the responding Internet FTP servers and "192.3.10.0 0.0.0.255" refers to the initiating FTP clients on our LAN. The access lists would look like this access-list 110 permit tcp any eq 21 192.3.10.0 0.0.0.255 gt 1023 established access-list 110 permit tcp any eq 20 192.3.10.0 0.0.0.255 gt 1023 access-list 110 permit tcp any gt 1023 192.3.10.0 0.0.0.255 gt 1023 established Compared to the previous scenario, notice that the source and destination haven't changed (athough I changed "host 192.3.10.10" to "192.3.10.0 0.0.0.255") but the ports are swapped between source and destination in each access list. Also, the lack of or existence of the "established" keyword is reversed. In the first list entry the client on the LAN has initiated the connection and we need to allow FTP control (port 21) packets from Internet FTP servers through if they have the ACK or RST bit set. The second entry allows the FTP server to initiate a data connection (source port 20) to the client's ephemeral port on the LAN, so we drop the "established" keyword. For the third entry, since the client is initiating passive mode FTP we let "established" FTP data connection packets from the server through. Hope no one fell asleep. ;-) Jonathan Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=24906&t=24525 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]