Preventing FTP Access with ACL
mercanedees
Member Posts: 10 ■□□□□□□□□□
in CCNA & CCENT
Can anyone please help - came across this question . .
How would you prevent FTP access to a host using only port numbers?
Would you have to code the following for both port numbers 20 and 21 or would just one of the FTP port numbers suffice?
access-list 101 deny tcp 172.16.00 0.0.255.255 any eq 20
access-list 101 deny tcp 172.16.00 0.0.255.255 any eq 21
access-list 101 permit ip any any
interface serial 0
ip access-group 101 in
Hope this makes sense - Many thanks
How would you prevent FTP access to a host using only port numbers?
Would you have to code the following for both port numbers 20 and 21 or would just one of the FTP port numbers suffice?
access-list 101 deny tcp 172.16.00 0.0.255.255 any eq 20
access-list 101 deny tcp 172.16.00 0.0.255.255 any eq 21
access-list 101 permit ip any any
interface serial 0
ip access-group 101 in
Hope this makes sense - Many thanks
Comments
-
mbeaven
Member Posts: 50 ■■□□□□□□□□
I believe it's only necessary to block port 21 the control port since it's needed to establish the session. I don't have a router in front of me right now but I thought blocking port 21 is the same as putting eq ftp and shows that way in the config. I'm sure if I'm wrong someone will let me know about it.
-
wildfire
Member Posts: 654
access-list 101 deny tcp 172.16.00 0.0.255.255 any eq ftp
this command blocks both port 20 and 21. However be carefull as people can use fpt through http passive mode which will use port 80 http for ftp access.Looking for CCIE lab study partnerts, in the UK or Online. -
wildfire
Member Posts: 654
forgot to say theres also secure ftp
access-list 110 deny tcp any any eq 115Looking for CCIE lab study partnerts, in the UK or Online.