Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

FTP port forwarding


I have a ftp application that needs to access my internal network, on port 2774. an external test application tells me the command port works fine but not the data ports, which could be any of a 1000 different ports. Is there a way to do port forwarding on a 1000 ports without individual entries. I thought that the fixup command on the command port may have removed the need but it doesn't appear to be the case?

New Member

Re: FTP port forwarding

I am assuming you are either using PIX/FWSM. You need to change the defualt behaviour of the ftp inspection to make it work.

To change the default configuration for FTP inspection, perform the following steps:

Step 1 Name the traffic class by entering the following command in global configuration mode:

hostname(config)# class-map class_map_name

Replace class_map_name with the name of the traffic class, as in the following example:

hostname(config)# class-map ftp_port

When you enter the class-map command, the CLI enters the class map configuration mode, and the prompt changes, as in the following example:


Step 2 In the class map configuration mode, define the match command, as in the following example:

hostname(config-cmap)# match port tcp eq 23

hostname(config-cmap)# exit


To assign a range of continuous ports, enter the range keyword, as in the following example:

hostname(config-cmap)# match port tcp range 1023-1025

To assign more than one non-contiguous port for FTP inspection, enter the access-list command and define an access control entry to match each port. Then enter the match command to associate the access lists with the FTP traffic class.

CreatePlease login to create content