I have the following issue on a Cisco 7201 Internet-facing router:
TCP port 21 is open all the time and nothing stops it from staying open. There is no service started which keeps this port open, there is also an inbound ACL, assigned on the outside interface which filters everything except SSH from particular outside addresses... TCP port 21 stays open no matter what I do, no matter if I explicitly deny all traffic to this port, Nmap finds it open. Furthermore I tried to open a raw session to this port and according to Wireshark the three-way handshake passed perfectly well, then I was able to send strings which the router successfuly indicated as received with ACK bit, etc.
show tcp brief does not show this activity, there is no process related to FTP which is started, there is an ACL which explicitly denyes any traffic from any source to TCP port 21...nothing helps. It stays open all the time.
One more thing...the exact same behaviour is observed on a Cisco 2811 Internet-facing router. Nothing helps here also.
I find this a disturbing issue, please help me with some ideas..
Thanks in advance!