Announcement

Collapse
No announcement yet.

cannot access ftp site

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • cannot access ftp site

    I've added an access rule for our inside to permit object (testftp) to any (0.0.0.0) for ftp and it doesn't seem to work. If I change the ftp to http, browsing is fine, as is if I set to IP.

    Checking the logging when set to ftp I see:

    106023 testftp 1089 62.216.233.142 14578 Deny tcp src inside:testftp/1089 dst outside:62.216.233.142/14578 by access-group "inside_access_in" [0x565b3da1, 0x0]

    Having found the inside_access_in which resides in the ACL Manager, I see the same rule in there but cannot fathom it out.

    I've done the same thing for a user that required ssh (sftp) and that worked fine.

    I'm obviously missing something here so any guidance would be appreciated because I don't admit to being a Cisco guru.

  • #2
    Re: cannot access ftp site

    106023 testftp 1089 62.216.233.142 14578 Deny tcp src inside:testftp/1089 dst outside:62.216.233.142/14578 by access-group "inside_access_in" [0x565b3da1, 0x0]

    Destination: Outside port 14578

    unless i read that wrongt ?
    Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

    Comment


    • #3
      Re: cannot access ftp site

      Yeah, that's right. Though ftp/ftp-data are ports 20/21, there's the client higher randon ports which I think are denying the connection.

      It's getting round this which is posing the problem

      Comment


      • #4
        Re: cannot access ftp site

        ahh i misunderstood
        you wish to permit inbound ftp

        although.. considering.. you may need a rule that allows established traffic to return.. if that makes sense ?
        Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

        Comment


        • #5
          Re: cannot access ftp site

          Originally posted by tehcamel View Post
          ahh i misunderstood
          you wish to permit inbound ftp

          although.. considering.. you may need a rule that allows established traffic to return.. if that makes sense ?
          Perfect sense, but I'm not sure that's where the problem lays. If I change the ports to http (browsing works) or IP or TCP (ftp then works), just not if I set to ftp/ftp-data.

          I'm think there's a global inside access list that's causing the restriction somehow.

          Comment

          Working...
          X