Preventing FTP Access with ACL

mercanedeesmercanedees Junior MemberMember Posts: 10 ■□□□□□□□□□
in CCNA & CCENT
Can anyone please help - came across this question . .

How would you prevent FTP access to a host using only port numbers?

Would you have to code the following for both port numbers 20 and 21 or would just one of the FTP port numbers suffice?

access-list 101 deny tcp 172.16.00 0.0.255.255 any eq 20
access-list 101 deny tcp 172.16.00 0.0.255.255 any eq 21
access-list 101 permit ip any any

interface serial 0
ip access-group 101 in

Hope this makes sense - Many thanks
· Share on FacebookShare on Twitter

Comments

  • mbeavenmbeaven Member Member Posts: 50 ■■□□□□□□□□
    I believe it's only necessary to block port 21 the control port since it's needed to establish the session. I don't have a router in front of me right now but I thought blocking port 21 is the same as putting eq ftp and shows that way in the config. I'm sure if I'm wrong someone will let me know about it. :)
    · Share on FacebookShare on Twitter
  • mercanedeesmercanedees Junior Member Member Posts: 10 ■□□□□□□□□□
    Thank you mbeaven for the reply
    · Share on FacebookShare on Twitter
  • wildfirewildfire Senior Member Member Posts: 654
    access-list 101 deny tcp 172.16.00 0.0.255.255 any eq ftp

    this command blocks both port 20 and 21. However be carefull as people can use fpt through http passive mode which will use port 80 http for ftp access.
    Looking for CCIE lab study partnerts, in the UK or Online.
    · Share on FacebookShare on Twitter
  • wildfirewildfire Senior Member Member Posts: 654
    forgot to say theres also secure ftp

    access-list 110 deny tcp any any eq 115
    Looking for CCIE lab study partnerts, in the UK or Online.
    · Share on FacebookShare on Twitter
Sign In or Register to comment.