Choi -
Unless you use clients supporting passive FTP (modified FTP client
programs and some Web browsers) you will need to allow outside machines
to initiate TCP connections from port 20 (the ftp-data port).
You are allowing TCP connections on the FTP control port (port 21) for
commands and three digit response codes in your filtering rules below but
not allowing non-established ftp-data traffic (from server port 20) in.
You probably want the rule :
permit tcp 0.0.0.0 255.255.255.255 a.b.0.0 0.0.255.255 eq 20
Note that you will have given up some degree of security for transparency.
- Morrow
Choi su-hyung <alloha @
goldstar .
co .
kr> wrote:
>Dear.
>I'd like to get your help.
>I have a problem in setting screen router.
>----------------------------------------------------------------------
>rule 1 : outgoing is all permitted.
>rule 2 : ftp,mail,ns,icmp are permitted but the others arn't.
>
>so,I made ruleset as following.. (out network is B-class a.b.xxx.xxx)
>
>Extended IP access list 195
> permit tcp 0.0.0.0 255.255.255.255 a.b.0.0 0.0.255.255 established
> permit icmp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
> permit tcp 0.0.0.0 255.255.255.255 a.b.0.0 0.0.255.255 eq 21
> permit tcp 0.0.0.0 255.255.255.255 a.b.0.0 0.0.255.255 eq 25
> permit tcp 0.0.0.0 255.255.255.255 a.b.0.0 0.0.255.255 eq 53
> permit udp 0.0.0.0 255.255.255.255 a.b.0.0 0.0.255.255 eq 53
> permit tcp a.b.0.0 0.0.255.255 0.0.0.0 255.255.255.255
> permit udp a.b.0.0 0.0.255.255 0.0.0.0 255.255.255.255
>
>On serial port 1/1
> ip access-group 195 in
> ip access-group 195 out
>
>problem : I did ftp from a.b.xxx.xxx to out.Except following,are OK.
> But I received error mesg.
>
> ftp> dir
> 200 PORT command successful.
> 425 Can't build data connection: Connection timed out.
>
> This mesg vanish when i set "no ip access-group 195 in".
> I don't know how to solve it.
>
>If you know what is wrong,please let me know...
>I will wait your any answer.
|
|
