If these are clients coming in from outside, you should have no problem
You didn't say *which* Cisco router; assuming IOS 12.x or recent 11.x:
on your external interface
on the outbound access-list
create a reflexive list
on your external interface
on the inbound access-list
allow tcp/21 connections to your FTP server
evaluate the reflexive list
Outbound FTP connections are a different issue.
During active FTP, the FTP server tries to open an outbound connection from
port 20 to the specified high-range port on the client; the problem occurs
when the *client* is behind a firewall and the server attempts to open the
reverse connection *from* server:tcp/20 to client:tcp/????
----- Original Message -----
From: David Shackelford <[EMAIL PROTECTED]>
> I have been looking at the RFC (1579) relating to ftp PASV and router
> access-lists and had a few questions related to a problem I'm
encountering.
>
> I've got a FTP server running IIS 4.0 in my DMZ (which is
created/protected
> by a PIX). I recently changed my Cisco router access-list to deny all but
> the protocols I need for business. I'm allowing TCP 20 and 21 in, but many
> ftp operations are failing. I realize that this is because the clients are
> trying to open restricted ports (in the 2000 range) on the server during
> data channel requests. It seems like my trouble, after reading the RFC, is
> that we aren't using passive mode. Is this right, and will I be able to
> implement this on IIS? Would it be best to just open a larger range of
ports
> on the router and let the firewall do its work?
>
> Our ftp server is used for both web-URL-based downloads and client
batching
> projects, so both browsers and various clients will be used to connect to
> us.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
