ACL to allow only FTP - various issues

Asked me to develop a way to connect a server of the company not to one of my closet of 5509 running several VLANS over a couple of floors on my building. The 5509 has no RSM and is connected to the big 3 layer switch... 6509.

I was told that I have to do the "secure" connection This server will make file xfer (probably ftp)

Even if we have a firewall... the decision was taken to put the server in own vlan... say vlan 201 and hard give it an ip address of 10.4.201.11

I learned to develop an ACL that will allow only ftp traffic.

Here's my plan

create a vlan 201 on the 6500 and 5509 and assign a 5509 port to it for the server

I think the application the following ACL to my interface vlan 201 on the 6509.

access-list 100 permit tcp 10.4.201.11 0.0.0.0 no matter what 20 eq

access-list 100 permit tcp 10.4.201.11 0.0.0.0 no matter what eq 21

access-list 100 deny ip any one

On the 6509 applying the ACL

IP access-group 100 to

I have a few questions

1. If I have the ports 20 and 21 licence cover me for ftp traffic?

2. by encoding 0.0.0.0 in the acl that forces ip address of 10.4.201.11 to match or through it now?

3. as far as I know deny it a whole will kill anything else

4. I am concerned by a couple of other things... I don't know that thanks should be sent back as appropriate. I also wonder if I also need to apply leaving and entering?

5. What saddens me really, it's that I have never done an ACL before and do not want to create a situation where I block the other traffic on the 2 switches... I guess that's the advantage to do it in one vlan separate... then I hope that if something "unexpected" happens when we applied it... it would only affect that the vlan 201.

6: last question, if we had to go back for some reason any acl... I hear that they are difficult to change once in the config... A procedure to follow to get rid of the ip access-group 100 in 1st then remove... the fact second access list statements the other way would leave only the list still in the group.

Thanks in advance for any helpful suggestions

Hi Lane,

Here are a few answers (in the same order as your questions)

1. the answer is: it depends. FTP can operate in one of two modes: active and passive. Depending on the mode, the required ports are different. The following URL has a good explanation of the difference between the two;

http://SlackSite.com/other/FTP.html

As the server is under your control, I think that using Active FTP should be fine. Therefore, the two server ports you need to open are tcp/21 and tcp/20.

2. a mask of 0.0.0.0 makes the access list on every bit of the network address that is specified. So what you've got is fine.

3. access lists have all implicit "deny all" at the end of their kind that last statement is not really necessary, but it might be good to let in readability.

4. because you want to make sure, a combination of inbound and outbound filtering is in order.

5. what you do on this VLAN will affect that VLAN and that only one VLAN - you don't have to worry about an impact on anything else.

6. it's okay. Remove the statement of 'ip access-group' under the interface before doing anything to the access list real himself.

Here's how to set up the ACL:

access-list 101 permit tcp any gt 1023 host 10.4.201.11 eq 20

access-list 101 permit tcp any gt 1023 host 10.4.201.11 eq 21

access-list 101 deny an entire

!

access list 102 permit tcp host 10.4.201.11 eq 20 all gt 1023

access list 102 permit tcp host 10.4.201.11 eq 21 all gt 1023

access-list 102 refuse a whole

!

interface vlan201

IP access-group 102 to

IP access-group 101 out

Now, the above lists will be only to let the FTP server and not much else. Your server should use the DNS for some reason any? If so, you will need to drill holes in the ACL above to allow UDP/53 through.

Hope that help - rate pls post if it does.

Paresh

Tags: Cisco Security

Similar Questions

  • WAP321 ACL to allow only 1 website

    Hello.

    I'm having a hard time until an ACL on a WAP321 setting. Basically, the client wants an open access point, which only allows access to a specific Web site. Is it possible to specify a domain name with an ACL on the WAP321?

    Thank you

    I know what you're talking about.

    Under the local user, there is a time-out on the outside which is set by default for 60 minutes. This means that, after a user dissociated from the AMP, if they try to log on before 60 minutes, they will always be in the list of users that are authenticated and should bypass the login screen. If the time specified in this field expires before the client attempts to authenticate again, customer entry is deleted from the list of authenticated clients and they should have log in the portal again.

    This same setting is also in the Instance configuration. I would like to do the same in both places. There is also time to stop session, I'm leaving 0 by default.

    I hope this helps.

    Eric Moyers

  • My version of Firefox is 7.0.1. My bank allows only version 3.6. How do I adapt so I can do my banking online?

    My version of Firefox is 7.0.1. My bank allows only version 3.6. How do I adapt so I can do my banking online? I use a Mac.

    You could install version 3.6 next to your current version. Just download the current language of http://www.mozilla.org/en-US/firefox/all-older.html and then in the Setup program, change the installation location. You can just change the last part of the installation location (where it says Mozilla Firefox) for Mozilla Firefox2

  • mx459 won't let me enter the WEP key number, allows only symbols and letters. How to enter numbers?

    mx459 won't let me enter the WEP key number, allows only symbols or letters. How to enter numbers?

    John

    This might help

    Press the SETUP button on the control panel of your printer.
    Using the arrows, select DEVICE SETTINGS, press OK.
    Select local network SETTINGS, then press OK.
    Select Configuration LAN wireless, and then press OK.
    If a message appears, press the WPS button, press STOP to cancel.
    Select STANDARD INSTALLATION in the next screen that appears, and then press OK.
    Select your access point or router, and then press OK.
    Press OK to confirm the access point name.
    Enter your password using the numeric keypad on the right.
    On the screen where you enter your password at the top right of the LCD screen, you should see a: 1. This indicates you are in digital input mode. If you press the asterisk (*) will be fixed: has or uppercase mode, pressing asterisk with tiny switch. To enter a letter in letter mode, you press the digital key to scroll through the available letters. For example: to enter a letter 'c', you press the '2' three times.
    Press OK when finished.
    The LCD will say "Connected", if the password is correct.

  • How to allow only .gov Web sites on Windows XP using the installation of the broad-band

    How to allow websites .gov only on Windows XP. Use BSNL broadband. Made of internet sharing in LAN.

    Concerning

    Maton

    Hi Matt,

    This forum is for MSE who cannot restrict access of Web site you want.

    One of the possible methods that comes to mind uses the Parental http://www.windows-help-central.com/parental-controls-in-windows-xp.html may control with Windows Live Family Safety http://explore.live.com/windows-live-family-safety?os=other (according to the version of XP and whether or not you have a workgroup or domain LAN).  When you set up, allow *.gov, but reject all other types you can imagine (I don't think there is a way to allow only .gov, but you can exclude most if not all of the other busiest - check domain name registrars to get a list of options).  If you use a domain, way to go would be with a custom domain group policy to restrict access on all of the network (except perhaps the server or individuals of special category in Active Directory if you want).

    If that is not the case, and I think it might, please repost your question in the following forum to get the expert assistance you need: http://answers.microsoft.com/en-us/windows/forum/windows_xp-networking?page=1&tab=all.

    I hope this helps.

    Good luck!

  • allow only one identity on ISE 1.3

    I have ISE 1.3 with a strategy of authentication and authorization with EAP - TLS. Works correctly, but I have seen in the report of authentications, an identity with two different mac address and were authorized by air.

    I need allow only an identity with a single device. Because the user copied his certificate on the device and granted access to the network.

    Is possilble do this?

    ISE does not support restricting an identity to be used only with a single device in this scenario. If your PC are AD registered machines, you can use a computer certificate enlisted by the internal pki with a GPO and set the model certificate to not allow exporting of the private key, then it will not be an easy hack for a normal user to export the certificate (it is possible).

    In addition, perhaps ask the user why they do, it might be a valid reason.

  • Unable to create the new folder, allows only new Briefcase

    my request to create a new folder allows only a Briefcase.  I want to create a standard folder.

    How to remove and restore the default context Menu items 'New' in Windows 7 and Windows 8
    http://www.SevenForums.com/tutorials/28677-new-context-menu-remove-restore-default-menu-items.html
     
     

    Tip: When you save the text in Notepad, the default file format is .txt. Replace all files.
     
     

  • Allow only smartphones via anyconnect

    Is this possible? The goal is to allow only smartphones/tablets; No full blown laptop os'.

    If you have the anyconnect essentials and the mobile anyconnect license would it as simple as ordering "no anyconnect essentials". According to the docs this only disables anyconnect essentials, but leaves the license intact. I hope that this would mean that the anyconnect for mobile would continue to operate. Or maybe there's another way to do this?

    Unfortunately I do not have the freedom to test and cannot find it in the documentation.

    ~ Thank you

    "no anyconnect essentials" disables this feature of license for the AnyConnect Premium license.

    AnyConnect for Mobile requires one or the other license to operate.

    To apply a restriction of device type, you would normally use Dynamic Access Policy (with AnyConnect Premium) and the Cisco Secure Desktop feature. However, CSD is only supported on Windows / OS X / Linux. (Example)

    Another way, you could do it would be with the device certificates. Check endpoints for the presence of a certificate (which you would need to deploy) and only allow valid wallet certificate devices to be authenticated. That's how it is (among other things) with Cisco ISE. ISE relieves the pain somewhat by deploying the certificate under the device / user integration. Do it with only ASA, should allows you to use a deployment of certificate 3rd party (or possibly PEIE, but I don't think that you could argue the mobile device in the CEP inscription).

  • How can I allow only a specific list of employees to receive marketing emails, but exclude all others in the same company?

    We have an important customer who said they don't want their employees who receive emails from marketing except a specific list of their management team. Also, we do not want the employees of our customers who decide to opt-in to receive emails from our registration page if they use their work email address.

    How can I allow only a specific list of employees (management team) to receive marketing emails, but exclude all others in the same company?

    One way is to create a list of sharing, "company A does not include." Build a program in the program generator with a charger that looks for the domain "company A". Place a filter in the program on a decision rule with the emails to management teams; If they are in the filter (that is, they are on the management team), remove them program, if they are not (that is, they are not the management team), add them to the list of sharing "excludes company A. Then you can add the list of sharing "Company A excludes" as an exclusion on your segments or implement a model that they will automatically as an exclusion.

    They oppose all non management team emails? If they are, as an extra precaution, you could add the "exclude company A" to master exclusion list.

  • OES-000149: allow only https connections, received http

    Hello

    I try to install the service of commissioning for my short system.
    I installed all three servers (server short, Integrator and Studio) in development mode and I did not use SSL in any of them.
    Now when I try to install service commissioning, I am not able to connect to the server short, the error is:
    "

    # < 29 October 2014 12:45:50 IST > < error > < com.oracle.endeca.pdi.logging.ProvisioningLogger > < infva05628 > < AdminServer > < ExecuteThread [ASSET]: '0' for the queue: '(self-adjusting) weblogic.kernel.Default' > < < anonymous > > <>< b07a8e9881d7066d:40aa6725:1495ac057b0: - 8000-0000000000000014 > < 1414566950356 > < BEA-000000 > < javax.xml.ws.WebServiceException: can't access the WSDL to: http://localhost:9001 / short-server/ws/manage? wsdl . It failed with:

    Answer: 404: not found ' URL: ' http://localhost:9001 / short-server/ws/manage? wsdl '.

    com.oracle.endeca.pdi.mdex.clustermanage.ClusterManageClientException: javax.xml.ws.WebServiceException: can't access the WSDL to: http://localhost:9001 / short-server/ws/manage? wsdl . It failed with:

    Answer: 404: not found ' URL: ' http://localhost:9001 / short-server/ws/manage? wsdl '.

    When I tried to access the url "http://localhost:9001 / short-server/ws/manage?" WSDL"I received the following message:"

    OES-000149: allow only https connections, received http


    How can I resolve this problem and install the commissioning service?

    Check your EndecaServer.properties to:

    Short require https = false

    Short-set-mode = false

  • Hi, I have bought LR6 and installed cloud creative ok, but when you go to installation of Lr, it allows only one installation of the trial version, the other options are to buy. I expect that when I pay 129 euros for the LR I can install it easily and not

    I bought LR6 and installed cloud creative ok, but when you go to installation of Lr, it allows only one installation of the trial version, the other options are to buy.

    Serialize Lightroom trial to activate like Lightroom 6 CC

    https://helpx.Adobe.com/Lightroom/KB/serialize-Lightroom-CC-trial-to-activate-as-Lightroom - 6.html

  • Regex to allow only integer and decimal numbers.

    Hi all

    I need a regex to allow only integers and decimal numbers.

    Examples:

    100 licences

    100.00 - Unauthorized

    100 - unauthorized

    100.11.22 - unauthorized

    all characters other than numbers - unauthorized

    I used the regular expression - ^ [0-9] +. ? [0-9] * $- but its allowing the "100" also.

    Can someone help me solve this problem.

    Your timely assistance is greatly appreciated.

    Thanks in advance.

    Hello

    inDiscover wrote:

    Hi all

    I need a regex to allow only integers and decimal numbers.

    Examples:

    100 licences

    100.00 - Unauthorized

    100 - unauthorized

    100.11.22 - unauthorized

    all characters other than numbers - unauthorized

    I used the regular expression - ^ [0-9] +. ? [0-9] * $- but its allowing the "100" also.

    Can someone help me solve this problem.

    Your timely assistance is greatly appreciated.

    Thanks in advance.

    Use

    ^[0-9]+(\.[ 0-9] +) ? $

    to make the decimal point and the following figures (of which there must be at least 1), as a unit, as an option.

  • Allow only specific APEX App via Oracle Http Server

    Hello

    I have some difficulty to fix my Oracle APEX + Oracle HTTP Server environment.

    There are currently about 20 Applications that run on the server of the APEX, and I want to publish 2 of them outdoors for the users.

    I added a certificate in Oracle Wallet Manager to ensure the OHS, but I can access all Applications on the server of the APEX by changing just the suffix of the ID of the Application.

    How can allow only two applications accessible via internet?

    Concerning

    Hello

    Well, need us so much more information.

    You can edit a zip file of all the relevant configuration file, or you could send them to me at [email protected].

    Then I take a look and we can post the result here.

    It should also be completely specified URL that you use since you seem so use the virtual hosting.

    See you soon,.
    Dietmar.

  • Export of collections to the external file allows only export as a jpeg image and not the original file types?

    Export of collections to the external file allows only export as a jpeg image and not the original file types?

    Why is this?

    DOOH-just found out why. the video bar was enabled prevail so on options-now them it works thank you for your answers.

    George

  • Trigger - allow only SYSADM change password

    Hello

    I would like to create a trigger for Oracle 9i, which allows only the SYSADM change passwords and deny all users to change their password. Is this possible?

    I found a script, but it does not allow users to change their password (sorry, can't remember where I found it, but credit to author :))

    CREATE TRIGGER No_Change_PWD_trigger
    BEFORE ALTER
    WE DATABASE
    DECLARE
    BEGIN
    IF (ora_dict_obj_type = ' USER') THEN
    raise_application_error (-20010, ' you cannot change the password, try nice ;)) ») ;
    END IF;
    END;
    /

    Can someone help me to modify the script to allow SYSADM to be the only user with ALTER USER privileges?

    Thank you
    Ryan

    Hello

    a simple addition should work (but not tested):

    CREATE TRIGGER No_Change_PWD_trigger
BEFORE ALTER
ON DATABASE
DECLARE
BEGIN
IF (ora_dict_obj_type = 'USER')
and user != 'SYSADMIN' THEN
raise_application_error(-20010,'You cannot change the password, nice try ;)');
END IF;
END;
/

    Herald tiomela
    http://htendam.WordPress.com

Maybe you are looking for