You want to filter an application that uses more than one TCP or UDP port.

This example shows how to filter both FTP control and data sessions:

Router1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router1(config)#access-list 152 permit tcp any any eq ftp
Router1(config)#access-list 152 permit tcp any any eq ftp-data established
Router1(config)#interface FastEthernet0/0
Router1(config-if)#ip access-group 152 in 
Router1(config-if)#exit
Router1(config)#end
Router1#

Some protocols use multiple ports. A classic example is FTP, which is shown in the example. It is worthwhile reviewing how the FTP protocol works. For more details, please consult RFC 959.

When a client device wants to connect to a server to either upload or download files, it makes a TCP connection on port 21. This port 21 connection carries all of the interactive user traffic, such as usernames and passwords, as well as commands to move around to different directories. It also uses this control session to tell the server what port number it wants to use for transferring data. This will typically be a high-numbered temporary TCP port.

When the user then wants to transfer a file, he traditionally types a put or get command on the server. We say traditionally because this is not quite how things work when your FTP client software is driven through a web browser, as we discuss in Recipe 19.12.

The server then makes a new TCP connection ...