Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

FTP on a nonstandard port?

Pix firmware 7.2.1, trying to run ftp on a nonstandard port(8021), appears that the inspection engine is causing issues. I have delted my default inspection policy, created a new one for ftp on port 8021, i can connect but never get the data channels to open, am I mising something with creating a new inpection policy? It does not work in either active or passive mode, and I do have the data channel port open, but never see a hit on that...

Thanks,

7 REPLIES
Cisco Employee

Re: FTP on a nonstandard port?

Could you share the new inspection policy for FTP on port 8021 and the relevant parts of the configuration, i.e. the following:

show run access-group

show run access-list

show service-policy

as well as where is the FTP server in relation to your ASA, i.e. on the inside or on the outside?

New Member

Re: FTP on a nonstandard port?

I Have the same problem with the NAtting FTP server using non standerd port 990 and it connects to the FTP client using the global addresses but never open the data channels b/c it use the local address even we tried to permit for the local IP addresses but the router keep denied them, what is the proper configuration for this? ...

Silver

Re: FTP on a nonstandard port?

have you tried to set-up the fix-up protocol?

New Member

Re: FTP on a nonstandard port?

thank you for asking, I did not try to use fixup but I found the problem when using FTP over SSL with ports 990 and 989, that will encrypt the control connection in the packet then when using NAT with FTPS (FTP over SSL) then the router will never read the global IP address because it encrypted , which we test the FTP server without nating and it has sccessfully connected to the natted FTP clients with no issues but when we put nat then the connections drop , now we need to cnfigure the ftp server to use the global ip address instead the private address in the payload of the packets, do you have an idea to achieve this?

Silver

Re: FTP on a nonstandard port?

I think I need some help understanding what you are doing.

host --- vpn --- host

Can you give me a general overview of the topology you are in so I can understand the set-up a little better?

New Member

Re: FTP on a nonstandard port?

I don't have VPN tunnel

FTPserver--router1811--MPLS--router--FTPclient

that is my topology and because the ftp over ssl is encrypt the packets so the site does not want to use VPN.

Silver

Re: FTP on a nonstandard port?

wow, sorry I missed that there.

right.

I think I understand correctly now.

When you send traffic from the FTP client it hits the router and is overloaded, the traffic goes through the network to the router at the server side and will see it from the overload(global) IP.

Question, how is the NAT set-up?

Can you provide that set-up?

I am not sure how to set this up the way you want so the client will see traffic from a different IP other than the global? The remote end do they have an ACL set-up? If they do then I would have them open the ACL for the network you are coming from rather than the NAT host.

For example:

static 63.163.18.234 255.255.255.0 access-list FTP-Server

access-list FTP-Server permit tcp host 10.1.1.1 any eq

So communication back from the client will use the public, but traffic from the server will use the global. The only way for the distant end to allow traffic is to have the acl set-up with the global in it.

i think...maybe...i hope!

356
Views
0
Helpful
7
Replies
CreatePlease to create content