Hi Iwan,
Thank you very much for verifying the solution and explaining the
procedure for testing the same.
Thanks
Regards
Anantha Subramanian Natarajan
On Sat, Aug 22, 2009 at 6:24 AM, Iwan Hoogendoorn <iwan_at_ipexpert.com> wrote:
> Hey Anantha,
>
> What you are explaining above is totally correct.
> You can simply test this by vonfiguring a FTP server on a router:
>
> If you want to enable a FTP server within Cisco IOS, you can use the
> ftp-server enable configuration command followed by the ftp-server
> topdir directory command which specifies the top-level FTP directory
> (for example, flash: or disk0:). To authenticate the FTP users you
> need to define the local usernames with the username user password
> password configuration command.
> You can put the ACL on the interface and just do a quick telnet to
> port 21 from th eneighbouring router or another router if the route is
> known to it ("telnet x.x.x.x ftp" and "telnet x.x.x.x ftp-data")
>
>
>
> --
> Regards,
>
> Iwan Hoogendoorn
> CCIE #13084 (R&S / Security / SP)
> Sr. Support Engineer � IPexpert, Inc.
> URL: http://www.IPexpert.com <http://www.ipexpert.com/>
>
>
>
>
>
>
>
> On Fri, Aug 21, 2009 at 11:42 PM, Anantha Subramanian
> Natarajan<anantha.natarajan_at_gravitant.com> wrote:
> > Hi All,
> >
> > I would like to clarify below for the rules needed to apply for the
> > access-list based on different applications/requirements.Thanks for the
> > assistance
> >
> >
> > Say the topology is as listed like R6-BB1
> >
> > *Requirement*
> >
> > 1) Allow only ftp traffic from BB1.
> >
> > *Assuming the solution as below*
> >
> > An extended access-list would be applied *inbound *on the R6 interface
> > facing towards BB1
> >
> > ip access-list extended allow_in
> > *Active FTP*
> > 10 permit tcp any gt 1023 <inside network - inverse mask> range 20
> > 21 --- For Active FTP(assuming Client is outside and server is inside)
> > 20 permit tcp any range 20 21 <inside network -inverse mask> gt
> 1023
> > --For Active FTP (assuming client is inside and server is outside)
> > *Passive FTP*
> > 30 permit tcp any gt 1023 <inside network - inverse mask> gt 1023
> > -For Passive FTP(Assuming client is outside and server is inside)
> >
> >
> > Is the above access-list would permit both passive and active
> FTP(including
> > server inside or outside).Kindly correct me where I am wrong.
> >
> > *Note:* Ignoring the permit statements required for routing protocol or
> any
> > other protocol traffic between R6 and BB1 for our question
> >
> > Thanks
> >
> >
> > Regards
> > Anantha Subramanian Natarajan
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> >
> >
> >
> >
> >
> >
>
>
>
> --
> Regards,
>
> Iwan Hoogendoorn
> CCIE #13084 (R&S / Security / SP)
> Sr. Support Engineer � IPexpert, Inc.
> URL: http://www.IPexpert.com <http://www.ipexpert.com/>
Blogs and organic groups at http://www.ccie.net
Received on Sat Aug 22 2009 - 07:18:27 ART