Priscilla, So you used AFP instead of FTP. Do you mind sending the info on AFP such as vendor name, web site, phone number, etc.?
Thanks. Jill ""Priscilla Oppenheimer"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Thanks for carrying it through. It's very helpful. > > And to reiterate what you said in your first message, this one (for passive > mode when the 192.3.10.10 server is on the local network) is risky because > it has to be non-specific: > > access-list 110 permit tcp any gt 1023 host 192.3.10.10 gt 1023 > > So maybe it's best to tell the users not to use passive mode. But then they > better not have personal firewalls that don't allow the session setup from > the server! I have actually run into situations where there were so many > firewalls (network-wide and personal) that we couldn't use FTP. We used AFP > over TCP instead. (which by the way is much more secure for another reason, > which is that it encrypts a random number provided by the server with the > password. FTP sends the password in clear text.) > > Anyway, thanks again. > > Priscilla > > At 12:49 AM 11/1/01, Jonathan Hays wrote: > >Priscilla Oppenheimer wrote: > > > > > From a book that I am working on. The figures would help, but you'll have > > > to buy the book for that! ;-) > > > > > > > >Thanks. Good info! And a good reminder for people like me who have been > >working on > >non-Cisco projects and are getting rusty on our access list skills. 8-) > > > >For closure (often synonymous with "getting the last word" ) I will work > >through > >the typical FTP access list entries in light of Priscilla's excellent > >description. > >Experienced folks will probably be bored reading this and I tend to be > >repetitive for > >the sake of beginners (but I welcome comments of any type from anyone). > > > >Recall that our scenario involves giving Internet users access to the FTP > >server sitting > >on our LAN. Let's assume the access list will be applied with "access-group > >in" to the > >router's WAN connection, say serial 0. > > > >Let's start with the Active mode case. > > > >Referring to Priscilla's description, in step 1 the FTP conversation is > >initiated from > >the Internet client using an ephemeral source port (greater than 1023) to > >the FTP server > >(192.3.10.10) listening on port 21 (destination port). Since we need to > >allow that first > >TCP SYN to come through we cannot use the "established" keyword. The "any" > >in our access > >list is for the Internet client and "192.3.10.10" is the FTP server. The > >first access > >list entry is > > > >access-list 110 permit tcp any gt 1023 host 192.3.10.10 eq 21 > > > >Now for the ftp data connection. In step 4 the client sends the PORT command > >to the FTP > >server along with the ephemeral port number to be used for the FTP data > >(port 20) > >connection. In step 5 the FTP server on the LAN initiates the TCP connection > >(SYN) to > >the Internet-based client. This initial packet will not need an access list > >entry since > >there is no access list on packets going _out_ serial 0, only for those > >coming in. > >However, we must let the client SYN ACK response through (and other port 20 > >packets from > >the Internet). At this point, the client's packets will obviously have the > >ACK (or RST) > >bit set and will use source port gt 1023, destination port 20. The necessary > >access list > >entry is > > > >access-list 110 permit tcp any gt 1023 host 192.3.10.10 eq 20 established > > > >In the case of Passive mode, the client initiates the data connection so we > >can't use > >the "established" keyword, as I mistakenly did in a previous post. In > >passive mode step > >4 the Internet client issues the PASV command and the server supplies an > >ephemeral port > >to initiate the connection. To let this packet into serial 0 on our router > >the access > >list entry is > > > >access-list 110 permit tcp any gt 1023 host 192.3.10.10 gt 1023 > > > >----- > >Let's look at the reverse scenario, which is also very common. Suppose we > >were trying to > >allow FTP access from clients on an internal network (say 192.3.10.0/24) to > >FTP servers > >outside on the Internet. Let's keep our focus on the packets coming in and > >use the same > >"access-group in" on serial 0 as before. In this case "any" refers to the > >responding > >Internet FTP servers and "192.3.10.0 0.0.0.255" refers to the initiating > >FTP clients on > >our LAN. The access lists would look like this > > > >access-list 110 permit tcp any eq 21 192.3.10.0 0.0.0.255 gt 1023 > >established > >access-list 110 permit tcp any eq 20 192.3.10.0 0.0.0.255 gt 1023 > >access-list 110 permit tcp any gt 1023 192.3.10.0 0.0.0.255 gt 1023 > >established > > > >Compared to the previous scenario, notice that the source and destination > >haven't > >changed (athough I changed "host 192.3.10.10" to "192.3.10.0 0.0.0.255") > >but the ports > >are swapped between source and destination in each access list. Also, the > >lack of or > >existence of the "established" keyword is reversed. > > > >In the first list entry the client on the LAN has initiated the connection > >and we need > >to allow FTP control (port 21) packets from Internet FTP servers through if > >they have > >the ACK or RST bit set. The second entry allows the FTP server to initiate a > >data > >connection (source port 20) to the client's ephemeral port on the LAN, so we > >drop the > >"established" keyword. For the third entry, since the client is initiating > >passive mode > >FTP we let "established" FTP data connection packets from the server > through. > > > >Hope no one fell asleep. ;-) > > > >Jonathan > ________________________ > > Priscilla Oppenheimer > http://www.priscilla.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=25002&t=24525 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
