Tom,
The problem is the way in which you built your ACL...
You have used the following format:
access-list <ACL#> permit tcp <source_address> eq <source_port> host
<destination_address>
You need to do the following:
access-list <ACL#> permit tcp <source_address> host
<destination_address> eq <destination_port>
Why?
Because when you start a session from the client, the source port is
determined pseudo randomly on a lot of protocols
and the destination 'server' port addresses are known.
So when you start a session from the browser and from the prompt, a packet
with the is sent with a tcp destination port of 21
and a source port above 1024.
FYI, the dos version (win95, 98, etc) are started in "active" mode and then
if available are switched to PASV mode
at the users command prior to any transfers. PASV mode is not required in
order to start a session but is required
when transferring and information back to the client.. ie directory
listings and files.
Your browsers ftp is a PASV mode browser and if the PASV mode capability is
detected on the FTP server, so you are in all
likelyhood using passive ftp.
If you want to see what is happenning on your acls in such a way that you
can debug them, then change your final
deny statement to include the log command:
access-list 110 deny ip any any log
If you are telnetting to the router you will need to issue a "term mon"
command so that the output is shown
on the telnet session. Otherwise if you are on the console the output will
be there.
Some FTP clients use port 21 as the source that's why you got through with
those clients. It is likely that those clients are
running in passive mode.
Thanks
Anthony Burow
> Date: Thu, 27 Jul 2000 14:22:38 +0200
> From: Tom Casaer <[EMAIL PROTECTED]>
> Subject: ftp through CISCO access-list
>
> Hi,
>
> I've got the following (strange?) problem: I've got a Cisco configured
with
> the following access-list (a part of it):
>
> ...
> int ser0
> ip access-group 110 in
> ...
>
> ...
> access-list 110 permit tcp any eq ftp host X.X.X.X
> established
> access-list 110 permit tcp any eq ftp-data host X.X.X.X
> ...
> access-list 110 deny ip any any
>
> Now the problem is that I can use every ftp-client for ftp-ing (bulletprof
> FTP, ws_ftp, ...), everything works fine,
> but ftp in a browser (Explorer, Netscape) doesn't work (can't get a
> data-connection) and Ftp in a MS-Dos window doesn't work either (also no
> data connection).
>
> Is there anybody who has the same problem or a solution? Or always use a
> normal ftp-client?
>
> Thanks,
>
> Tom Casaer
>
> PS: I don't use PASSIVE mode, so it's a normal ftp connection.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
