Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ftp on alternate port

I can't get through the firewall on port 5052. I'm using firezilla and it says that it does not recognize an unroutable address. it works over the vpn so it's something to do with the asa.

6 REPLIES
Cisco Employee

Re: ftp on alternate port

Do you have firewall rules opened for this port?

Regards,

jerry

New Member

Re: ftp on alternate port

Yes. A static and an access list.

Cisco Employee

Re: ftp on alternate port

Assuming static means static NAT. With limited information, I can only suggest two things.

1) Make sure all routing is correct when access through the firewall. Verify it with ping and traceroute

2) Remove FTP inspection (fixup) and re-test

Regards,

jerry

New Member

Re: ftp on alternate port

This is all I have right now. I tried removing inspect with no luck.

access-list incoming extended permit tcp any host 68.216.158.101 eq 5052
static (inside,outside) tcp 68.216.158.101 5052 192.168.1.171 5052 netmask 255.255.255.255

Cisco Employee

Re: ftp on alternate port

Have you check your routing? (Not VPN)

You can also try to put a deny ip any any log at the end of the incoming ACL and send all the log to a syslog server to inspect what else is being blocked.

Regards,

jerry

Cisco Employee

Re: ftp on alternate port

Hello,

If you wish to pass FTP traffic through your Firewall on NON STANDARD ports, then in order to make it work, please add the following MPF (modular Policy Framework) :-

Lets assume you have FTP server (1.1.1.1) on outside of your ASA , and you have clients in inside which needs to access the server. First of all, remove inspect ftp from global_policy and the proceed as follows for non std FTP inspection.

access-list FTP extended permit tcp any host 1.1.1.1 range 20 21

access-list FTP extended permit tcp  host 1.1.1.1 any range 20 21

class-map class_ftp

match access-list FTP

!

Policy-map global_policy

class class_ftp

inspect ftp

!

service-policy global_policy global

HTH

Vijaya

330
Views
0
Helpful
6
Replies
CreatePlease login to create content