FTP port 21 open on Cisco routers

Unanswered Question
Mar 20th, 2009


I have the following issue on a Cisco 7201 Internet-facing router:

TCP port 21 is open all the time and nothing stops it from staying open. There is no service started which keeps this port open, there is also an inbound ACL, assigned on the outside interface which filters everything except SSH from particular outside addresses... TCP port 21 stays open no matter what I do, no matter if I explicitly deny all traffic to this port, Nmap finds it open. Furthermore I tried to open a raw session to this port and according to Wireshark the three-way handshake passed perfectly well, then I was able to send strings which the router successfuly indicated as received with ACK bit, etc.

show tcp brief does not show this activity, there is no process related to FTP which is started, there is an ACL which explicitly denyes any traffic from any source to TCP port 21...nothing helps. It stays open all the time.

One more thing...the exact same behaviour is observed on a Cisco 2811 Internet-facing router. Nothing helps here also.

I find this a disturbing issue, please help me with some ideas..

Thanks in advance!



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
cisco24x7 Fri, 03/20/2009 - 12:26

On the Internet-facing router, do this:

access-list 199 deny tcp any Internet_IP eq 21 log

access-list 199 deny tcp any any eq 21 log

access-list 199 permit ip any any log

interface F0/0 (assuming that this is your Internet facing interface):

ip access-group 199 in

Now use nmap or nessus to scan the system again and see if it says port 21 open. I will be it will be NOT be listening, something like this:

[[email protected]-lab2 tmp]# nmap -sS

Starting nmap V. 3.00 ( www.insecure.org/nmap/ )

Interesting ports on (

(The 1596 ports scanned but not shown below are in state: closed)

Port State Service

21/tcp filtered ftp

22/tcp open ssh

23/tcp open telnet

80/tcp open http

443/tcp open https

Nmap run completed -- 1 IP address (1 host up) scanned in 3 seconds

[[email protected]-lab2 tmp]#

tcpdump will show something like this:

[[email protected]-lab2 root]# tcpdump -nnni eth0 host and not net 224.0.0

tcpdump: listening on eth0

14:20:55.020743 > S 3643020768:3643020768(0) win 5840 (DF)

14:20:55.022747 > icmp: host unreachable - admin prohibited filter

make sense right?

kmilev Mon, 03/23/2009 - 02:43


Thank you for the response! Actually, before posting here, I had already taken care of the ACL and had denied the FTP traffic to check if it will work... It didn't work.

By the way, after some additional investigation, I found that the problem is not on the router I've configured - it is on the upstream provider whose PA IP address space my router (and network behind it) is using. I have mentioned about another router (Cisco 2811) which experiences the same problem - the case here is the same, the provider is the same and obviously he has configured some kind of erroneous forwarding to TCP port 21. For example, when trying to reach FTP port on any unexistent (still unassigned) IP, located behind the network of the provider it opens a FTP session every time...

I'm definitely considering to change the provider! I'm trying to avoid thinking what other problems and misconfigurations he could have introduced in his "network" :-(

Anyway, thank you once again for the answer, I appreciate this!




This Discussion