Thank you very much, Priscilla. We have a lot of MAC users. But, I am not fond of MACs. I tried to learn, but can never remember anything about the MACs. Thanks again.
Jill Priscilla Oppenheimer wrote: > It's Apple Filing Protocol (used to be called AppleTalk Filing Protocol). > It's built into Macintoshes. Third-party vendors such as Thursby Systems > have it for PCs. It's a typical client/server file sharing solution. > > It's not really a great solution unless you have a lot of Macs. Well, > technically, it is a good solution, but for the PCs you would have to buy > the software (~$180) and PC bigots might object (just out of ignorance > though! ;-] > > But there are other alternatives to FTP. You could use the built-in PC file > sharing SMB over TCP/IP. You could use WebDav. > > But, to be honest, FTP is pretty ingrained, despite its shortcomings. > Replacing it could be a hard sell. > > Priscilla > > At 12:27 AM 11/2/01, J. Johnson wrote: > >Priscilla, > > > >So you used AFP instead of FTP. Do you mind sending the info on AFP such > >as vendor name, web site, phone number, etc.? > > > >Thanks. > > > >Jill > > > >""Priscilla Oppenheimer"" wrote in message > >[EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > > Thanks for carrying it through. It's very helpful. > > > > > > And to reiterate what you said in your first message, this one (for > >passive > > > mode when the 192.3.10.10 server is on the local network) is risky > because > > > it has to be non-specific: > > > > > > access-list 110 permit tcp any gt 1023 host 192.3.10.10 gt 1023 > > > > > > So maybe it's best to tell the users not to use passive mode. But then > >they > > > better not have personal firewalls that don't allow the session setup > from > > > the server! I have actually run into situations where there were so many > > > firewalls (network-wide and personal) that we couldn't use FTP. We used > >AFP > > > over TCP instead. (which by the way is much more secure for another > >reason, > > > which is that it encrypts a random number provided by the server with the > > > password. FTP sends the password in clear text.) > > > > > > Anyway, thanks again. > > > > > > Priscilla > > > > > > At 12:49 AM 11/1/01, Jonathan Hays wrote: > > > >Priscilla Oppenheimer wrote: > > > > > > > > > From a book that I am working on. The figures would help, but you'll > >have > > > > > to buy the book for that! ;-) > > > > > > > > > > > > > > > >Thanks. Good info! And a good reminder for people like me who have been > > > >working on > > > >non-Cisco projects and are getting rusty on our access list skills. 8-) > > > > > > > >For closure (often synonymous with "getting the last word" ) I will > >work > > > >through > > > >the typical FTP access list entries in light of Priscilla's excellent > > > >description. > > > >Experienced folks will probably be bored reading this and I tend to be > > > >repetitive for > > > >the sake of beginners (but I welcome comments of any type from anyone). > > > > > > > >Recall that our scenario involves giving Internet users access to the > FTP > > > >server sitting > > > >on our LAN. Let's assume the access list will be applied with > >"access-group > > > >in" to the > > > >router's WAN connection, say serial 0. > > > > > > > >Let's start with the Active mode case. > > > > > > > >Referring to Priscilla's description, in step 1 the FTP conversation is > > > >initiated from > > > >the Internet client using an ephemeral source port (greater than 1023) > to > > > >the FTP server > > > >(192.3.10.10) listening on port 21 (destination port). Since we need to > > > >allow that first > > > >TCP SYN to come through we cannot use the "established" keyword. The > >"any" > > > >in our access > > > >list is for the Internet client and "192.3.10.10" is the FTP server. The > > > >first access > > > >list entry is > > > > > > > >access-list 110 permit tcp any gt 1023 host 192.3.10.10 eq 21 > > > > > > > >Now for the ftp data connection. In step 4 the client sends the PORT > >command > > > >to the FTP > > > >server along with the ephemeral port number to be used for the FTP data > > > >(port 20) > > > >connection. In step 5 the FTP server on the LAN initiates the TCP > >connection > > > >(SYN) to > > > >the Internet-based client. This initial packet will not need an access > >list > > > >entry since > > > >there is no access list on packets going _out_ serial 0, only for those > > > >coming in. > > > >However, we must let the client SYN ACK response through (and other port > >20 > > > >packets from > > > >the Internet). At this point, the client's packets will obviously have > >the > > > >ACK (or RST) > > > >bit set and will use source port gt 1023, destination port 20. The > >necessary > > > >access list > > > >entry is > > > > > > > >access-list 110 permit tcp any gt 1023 host 192.3.10.10 eq 20 > established > > > > > > > >In the case of Passive mode, the client initiates the data connection so > >we > > > >can't use > > > >the "established" keyword, as I mistakenly did in a previous post. In > > > >passive mode step > > > >4 the Internet client issues the PASV command and the server supplies an > > > >ephemeral port > > > >to initiate the connection. To let this packet into serial 0 on our > >router > > > >the access > > > >list entry is > > > > > > > >access-list 110 permit tcp any gt 1023 host 192.3.10.10 gt 1023 > > > > > > > >----- > > > >Let's look at the reverse scenario, which is also very common. Suppose > we > > > >were trying to > > > >allow FTP access from clients on an internal network (say 192.3.10.0/24) > >to > > > >FTP servers > > > >outside on the Internet. Let's keep our focus on the packets coming in > >and > > > >use the same > > > >"access-group in" on serial 0 as before. In this case "any" refers to > the > > > >responding > > > >Internet FTP servers and "192.3.10.0 0.0.0.255" refers to the > initiating > > > >FTP clients on > > > >our LAN. The access lists would look like this > > > > > > > >access-list 110 permit tcp any eq 21 192.3.10.0 0.0.0.255 gt 1023 > > > >established > > > >access-list 110 permit tcp any eq 20 192.3.10.0 0.0.0.255 gt 1023 > > > >access-list 110 permit tcp any gt 1023 192.3.10.0 0.0.0.255 gt 1023 > > > >established > > > > > > > >Compared to the previous scenario, notice that the source and > destination > > > >haven't > > > >changed (athough I changed "host 192.3.10.10" to "192.3.10.0 > 0.0.0.255") > > > >but the ports > > > >are swapped between source and destination in each access list. Also, > the > > > >lack of or > > > >existence of the "established" keyword is reversed. > > > > > > > >In the first list entry the client on the LAN has initiated the > >connection > > > >and we need > > > >to allow FTP control (port 21) packets from Internet FTP servers through > >if > > > >they have > > > >the ACK or RST bit set. The second entry allows the FTP server to > >initiate a > > > >data > > > >connection (source port 20) to the client's ephemeral port on the LAN, > so > >we > > > >drop the > > > >"established" keyword. For the third entry, since the client is > >initiating > > > >passive mode > > > >FTP we let "established" FTP data connection packets from the server > > > through. > > > > > > > >Hope no one fell asleep. ;-) > > > > > > > >Jonathan > > > ________________________ > > > > > > Priscilla Oppenheimer > > > http://www.priscilla.com > ________________________ > > Priscilla Oppenheimer > http://www.priscilla.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=25159&t=24525 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
