Dealing with Passive Mode FTP


You want to construct an ACL that can identify passive mode FTP sessions.


This example shows how to filter a Passive FTP control and data sessions:

Router1#configure terminal 
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#access-list 144 permit tcp any gt 1023 any eq ftp
Router1(config)#access-list 144 permit tcp any gt 1023 any gt 1023
Router1(config)#access-list 144 deny ip any any 
Router1(config)#interface Serial0/0.1 
Router1(config-subif)#ip access-group 144 in



In Recipe 19.6, we briefly reviewed the traditional way that FTP works. However, there is another subtle variation on this process, which is commonly called Passive FTP. The user connects to the server on port 21, exactly as before. But in the Passive FTP case, the client software issues the command PASV, which instructs the server to listen on a new non-default data port, and wait for a connection. The server selects a new port, which it tells to the client. The server then opens this port and waits for a connection. The client device initiates a new TCP connection to this temporary port number, and uses this connection to transfer its data.

This may sound like an unusual way of doing things, and it probably is. However, this is actually the default mode for many web browsers, including Internet Explorer and Netscape when they do FTP file transfers. This makes passive FTP the most common FTP mode for many networks. The problem is that if you want to control this traffic using an ACL of any kind, you no longer know either the source or destination TCP port numbers. For example, if you need to restrict some traffic, but ensure that passive FTP is allowed, you will need an ACL that can somehow permit the temporary port numbers. In Chapter 27, we will demonstrate a filtering method in which the router uses CBAC to learn about the new port by watching the control session of the FTP session.

This example takes a simpler approach and uses an extended ACL to deal with passive FTP. The trouble with this ACL is that it opens all TCP ports from 1024 and above. Clearly, this is not desirable on a router facing the Internet, or some other unfriendly network. The problem is that passive FTP can pick a different source and destination port each time a web browser connects to it.

Although our example permits passive FTP to pass through, it opens up over 64,000 TCP ports in the process. Obviously, this is not preferred method of permitting passive FTP. In Chapter 27, we discuss a much more secure method of allowing passive FTP through your router.

See Also

Recipe 19.6; Chapter 27

Router Configuration and File Management

Router Management

User Access and Privilege Levels


IP Routing





Frame Relay

Handling Queuing and Congestion

Tunnels and VPNs

Dial Backup

NTP and Time


Router Interfaces and Media

Simple Network Management Protocol





First Hop Redundancy Protocols

IP Multicast

IP Mobility




Appendix 1. External Software Packages

Appendix 2. IP Precedence, TOS, and DSCP Classifications


Cisco IOS Cookbook
Cisco IOS Cookbook (Cookbooks (OReilly))
ISBN: 0596527225
EAN: 2147483647
Year: 2004
Pages: 505 © 2008-2020.
If you may any questions please contact us: