You want to construct an ACL that can identify passive mode FTP sessions.

This example shows how to filter a Passive FTP control and data sessions:

Router1#configure terminal 
Enter configuration commands, one per line.  End with CNTL/Z.
Router1(config)#access-list 144 permit tcp any gt 1023 any eq ftp
Router1(config)#access-list 144 permit tcp any gt 1023 any gt 1023
Router1(config)#access-list 144 deny ip any any                   
Router1(config)#interface Serial0/0.1    
Router1(config-subif)#ip access-group 144 in
Router1(config-subif)#exit
Router1(config)#end
Router1#

In Recipe 19.6, we briefly reviewed the traditional way that FTP works. However, there is another subtle variation on this process, which is commonly called Passive FTP. The user connects to the server on port 21, exactly as before. But in the Passive FTP case, the client software issues the command PASV, which instructs the server to listen on a new non-default data port, and wait for a connection. The server selects a new port, which it tells to the client. The server then opens this port and waits for a connection. The client device initiates a new TCP connection to this temporary port number, and uses this connection to transfer its data.

This may sound like an unusual way of doing things, and it probably is. However, this is actually the default mode for many web browsers, including Internet Explorer and Netscape when they do FTP file transfers. This makes passive FTP the most ...