Thanks for carrying it through. It's very helpful. And to reiterate what you said in your first message, this one (for passive mode when the 192.3.10.10 server is on the local network) is risky because it has to be non-specific:
access-list 110 permit tcp any gt 1023 host 192.3.10.10 gt 1023 So maybe it's best to tell the users not to use passive mode. But then they better not have personal firewalls that don't allow the session setup from the server! I have actually run into situations where there were so many firewalls (network-wide and personal) that we couldn't use FTP. We used AFP over TCP instead. (which by the way is much more secure for another reason, which is that it encrypts a random number provided by the server with the password. FTP sends the password in clear text.) Anyway, thanks again. Priscilla At 12:49 AM 11/1/01, Jonathan Hays wrote: >Priscilla Oppenheimer wrote: > > > From a book that I am working on. The figures would help, but you'll have > > to buy the book for that! ;-) > > > >Thanks. Good info! And a good reminder for people like me who have been >working on >non-Cisco projects and are getting rusty on our access list skills. 8-) > >For closure (often synonymous with "getting the last word" ) I will work >through >the typical FTP access list entries in light of Priscilla's excellent >description. >Experienced folks will probably be bored reading this and I tend to be >repetitive for >the sake of beginners (but I welcome comments of any type from anyone). > >Recall that our scenario involves giving Internet users access to the FTP >server sitting >on our LAN. Let's assume the access list will be applied with "access-group >in" to the >router's WAN connection, say serial 0. > >Let's start with the Active mode case. > >Referring to Priscilla's description, in step 1 the FTP conversation is >initiated from >the Internet client using an ephemeral source port (greater than 1023) to >the FTP server >(192.3.10.10) listening on port 21 (destination port). Since we need to >allow that first >TCP SYN to come through we cannot use the "established" keyword. The "any" >in our access >list is for the Internet client and "192.3.10.10" is the FTP server. The >first access >list entry is > >access-list 110 permit tcp any gt 1023 host 192.3.10.10 eq 21 > >Now for the ftp data connection. In step 4 the client sends the PORT command >to the FTP >server along with the ephemeral port number to be used for the FTP data >(port 20) >connection. In step 5 the FTP server on the LAN initiates the TCP connection >(SYN) to >the Internet-based client. This initial packet will not need an access list >entry since >there is no access list on packets going _out_ serial 0, only for those >coming in. >However, we must let the client SYN ACK response through (and other port 20 >packets from >the Internet). At this point, the client's packets will obviously have the >ACK (or RST) >bit set and will use source port gt 1023, destination port 20. The necessary >access list >entry is > >access-list 110 permit tcp any gt 1023 host 192.3.10.10 eq 20 established > >In the case of Passive mode, the client initiates the data connection so we >can't use >the "established" keyword, as I mistakenly did in a previous post. In >passive mode step >4 the Internet client issues the PASV command and the server supplies an >ephemeral port >to initiate the connection. To let this packet into serial 0 on our router >the access >list entry is > >access-list 110 permit tcp any gt 1023 host 192.3.10.10 gt 1023 > >----- >Let's look at the reverse scenario, which is also very common. Suppose we >were trying to >allow FTP access from clients on an internal network (say 192.3.10.0/24) to >FTP servers >outside on the Internet. Let's keep our focus on the packets coming in and >use the same >"access-group in" on serial 0 as before. In this case "any" refers to the >responding >Internet FTP servers and "192.3.10.0 0.0.0.255" refers to the initiating >FTP clients on >our LAN. The access lists would look like this > >access-list 110 permit tcp any eq 21 192.3.10.0 0.0.0.255 gt 1023 >established >access-list 110 permit tcp any eq 20 192.3.10.0 0.0.0.255 gt 1023 >access-list 110 permit tcp any gt 1023 192.3.10.0 0.0.0.255 gt 1023 >established > >Compared to the previous scenario, notice that the source and destination >haven't >changed (athough I changed "host 192.3.10.10" to "192.3.10.0 0.0.0.255") >but the ports >are swapped between source and destination in each access list. Also, the >lack of or >existence of the "established" keyword is reversed. > >In the first list entry the client on the LAN has initiated the connection >and we need >to allow FTP control (port 21) packets from Internet FTP servers through if >they have >the ACK or RST bit set. The second entry allows the FTP server to initiate a >data >connection (source port 20) to the client's ephemeral port on the LAN, so we >drop the >"established" keyword. For the third entry, since the client is initiating >passive mode >FTP we let "established" FTP data connection packets from the server through. > >Hope no one fell asleep. ;-) > >Jonathan ________________________ Priscilla Oppenheimer http://www.priscilla.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=24968&t=24525 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
