FTP on a nonstandard port?

Unanswered Question
Dec 17th, 2007

Pix firmware 7.2.1, trying to run ftp on a nonstandard port(8021), appears that the inspection engine is causing issues. I have delted my default inspection policy, created a new one for ftp on port 8021, i can connect but never get the data channels to open, am I mising something with creating a new inpection policy? It does not work in either active or passive mode, and I do have the data channel port open, but never see a hit on that...


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
elparis Mon, 12/17/2007 - 07:36

Could you share the new inspection policy for FTP on port 8021 and the relevant parts of the configuration, i.e. the following:

show run access-group

show run access-list

show service-policy

as well as where is the FTP server in relation to your ASA, i.e. on the inside or on the outside?

fdarwazeh Wed, 01/02/2008 - 07:12

I Have the same problem with the NAtting FTP server using non standerd port 990 and it connects to the FTP client using the global addresses but never open the data channels b/c it use the local address even we tried to permit for the local IP addresses but the router keep denied them, what is the proper configuration for this? ...

fdarwazeh Fri, 01/04/2008 - 10:25

thank you for asking, I did not try to use fixup but I found the problem when using FTP over SSL with ports 990 and 989, that will encrypt the control connection in the packet then when using NAT with FTPS (FTP over SSL) then the router will never read the global IP address because it encrypted , which we test the FTP server without nating and it has sccessfully connected to the natted FTP clients with no issues but when we put nat then the connections drop , now we need to cnfigure the ftp server to use the global ip address instead the private address in the payload of the packets, do you have an idea to achieve this?

Rick Morris Fri, 01/04/2008 - 10:29

I think I need some help understanding what you are doing.

host --- vpn --- host

Can you give me a general overview of the topology you are in so I can understand the set-up a little better?

fdarwazeh Fri, 01/04/2008 - 11:01

I don't have VPN tunnel


that is my topology and because the ftp over ssl is encrypt the packets so the site does not want to use VPN.

Rick Morris Fri, 01/04/2008 - 11:14

wow, sorry I missed that there.


I think I understand correctly now.

When you send traffic from the FTP client it hits the router and is overloaded, the traffic goes through the network to the router at the server side and will see it from the overload(global) IP.

Question, how is the NAT set-up?

Can you provide that set-up?

I am not sure how to set this up the way you want so the client will see traffic from a different IP other than the global? The remote end do they have an ACL set-up? If they do then I would have them open the ACL for the network you are coming from rather than the NAT host.

For example:

static access-list FTP-Server

access-list FTP-Server permit tcp host any eq

So communication back from the client will use the public, but traffic from the server will use the global. The only way for the distant end to allow traffic is to have the acl set-up with the global in it.

i think...maybe...i hope!


This Discussion