Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

FTP on a differnt port

Folks,

I have an FTP server behind my firewall. I want to use a differnt port for security reasons. If i understand FTP correctly, the client when in active mode tells the ftp server what port it is listening to for data transfer. Many ftp programs have port 21 for setup and 20 for data transfer. If i want to use port 40 for setup and 41 for data trasfer, what ports do i need to open on my firewall? also how would i specify the ports on an ftp client? do ftp clients let you decide which ports to use for setup and data transfer? any recommendations?

Thanks

5 REPLIES
New Member

Re: FTP on a differnt port

On the pix you'll need to configure access for the client coming in:

access-list inbound permit tcp host clientip host serverip eq 40

access-group inbound in interface outside

You'll need to configure fixup protocol:

fixup protocol ftp 40

New Member

Re: FTP on a differnt port

thanks!

Please correct me if i am wrong.

When a user FTP's from a command prompt on his PC, his PC is using active FTP. That means that the client connects at port 21 and tells the ftp server that it is expecting a connection at port 20 for data transfer.

If i connect to an FTP server behind a firewall at a port other than 21, would the client still tell the server to connect at port 20 even thought it is connecting to the server at a port other than 21.

How would the firewall behave? if the FTP server is behind the firewall. and the client is connecting over the internet.

Silver

Re: FTP on a differnt port

Active FTP means that the server will initiate a connection back to the client for data transfers on the port requested by the client. The connection will be SOURCED from port 20 destined to the client's requested port.

Changing FTP ports can be very problematic. Although your Pix firewall can dynamically figure it out using Fixup, the client may not have such a functional firewall. Some clients have have issues connecting to the data port, especially in Active mode where the remote client's firewall has to let the traffic back in. How will the remote firewall know that this new connection is part of an FTP session if it started on a port other than 21? Passive mode works best in these situations.

-S

New Member

Re: FTP on a differnt port

Many thanks for your response, could you please elaborate on the passive mode please. I am sitting on PC connected to the internet and want to FTP to a server that is behind a Firewall . The ftp server is configured to use port 40 and port 21 for ftp setup.

what should i do on the pix so that i can inticiate FTP connections to the ftp server at port 40.

Thanks

Silver

Re: FTP on a differnt port

Here's a good link that explains exactly how passive vs active works:

http://slacksite.com/other/ftp.html

If you're connecting in passive mode and the Pix in question is on your side, you shouldn't need to do anything else assuming you haven't configured you're pix to block the outbound ports in question.

In passive mode, both connections are initiated by the client to the server. These will be outbound sessions through your pix so they will be allowed by default.

If you're using passive and it's not working, the remote firewall or server is probably the problem.

249
Views
0
Helpful
5
Replies