change FTP port

Discussion in 'Cisco' started by M, Apr 27, 2007.

  1. M

    M Guest

    How do I change my FTP port from 21 to 8888?

    On the local network the FTP-server works fine with port 8888.
    But it can not be accessed from the internet. The FTP client logs on,
    byt cannot list the files. Gets the error: Transfer channel can't be opened

    I think I need to redirect some extra port since I am not using port 21.

    What is wrong?

    There is my conf om my ASA5500



    ASA Version 7.2(2)
    !
    terminal width 120
    hostname ASA-xx
    domain-name xx.local
    enable password CfJGq9/fxxnP.UdE encrypted
    names
    !
    interface Vlan2
    nameif outside
    security-level 0
    ip address 212.xx.xx.10 255.255.255.240
    !
    interface Vlan7
    nameif inside
    security-level 100
    ip address 192.168.1.1 255.255.255.0
    !
    interface Ethernet0/0
    switchport access vlan 2
    !
    interface Ethernet0/1
    switchport access vlan 2
    !
    interface Ethernet0/2
    switchport access vlan 7
    !
    interface Ethernet0/3
    switchport access vlan 7
    !
    interface Ethernet0/4
    switchport access vlan 7
    !
    interface Ethernet0/5
    switchport access vlan 7
    !
    interface Ethernet0/6
    switchport access vlan 7
    !
    interface Ethernet0/7
    switchport access vlan 7
    !
    passwd XojxZFfxx2wxqfff encrypted
    ftp mode passive
    clock timezone CEST 1
    clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
    dns server-group DefaultDNS
    domain-name DAE.local
    access-list allow_inbound remark ****
    access-list allow_inbound extended permit tcp any interface outside eq ftp
    access-list allow_inbound extended permit tcp any interface outside eq 8888
    access-list allow_inbound extended permit tcp any interface outside
    range 2048 3000
    pager lines 24
    logging asdm informational
    mtu outside 1500
    mtu inside 1500
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-522.bin
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1 0.0.0.0 0.0.0.0
    static (inside,outside) tcp interface ftp 192.168.1.2 ftp netmask
    255.255.255.255
    static (inside,outside) tcp interface 8888 192.168.1.2 8888 netmask
    255.255.255.255
    static (inside,outside) tcp interface ftp-data 192.168.1.2 ftp-data
    netmask 255.255.255.255
    access-group allow_inbound in interface outside
    route outside 0.0.0.0 0.0.0.0 212.242.92.1 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
    0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect
    0:02:00
    timeout uauth 0:05:00 absolute
    http server enable
    http 87.48.39.154 255.255.255.255 outside
    http 213.150.42.2 255.255.255.255 outside
    http 192.168.1.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    telnet timeout 60
    ssh 2xx.1x0.x2.2 255.255.255.255 outside
    ssh 87.x8.x9.xx4 255.255.255.255 outside
    ssh 192.168.1.0 255.255.255.0 inside
    ssh timeout 60
    console timeout 60

    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map type inspect dns preset_dns_map
    parameters
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    !
    service-policy global_policy global
    prompt hostname context



    Best Regards
    Martin
    M, Apr 27, 2007
    #1
    1. Advertising

  2. M wrote:

    >I think I need to redirect some extra port since I am not using port 21.
    >
    >What is wrong?


    I'd rather think that this is because the ftp state machine doesn't know
    your port 8888. ftp is one of the most difficult protocols for a Firewall
    since there are two connections in a special context.

    Opening port 21 implies some things for port 20 and you'd ave to do the
    same thing for port 8888 and maybe a second port. But I don't een know if
    this is possible on an ASA?

    Regards

    fw
    Frank Winkler, Apr 27, 2007
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Frosty

    ftp://ftp.isc.org

    Frosty, Nov 22, 2006, in forum: Computer Support
    Replies:
    2
    Views:
    1,030
  2. Mike Easter

    Why can't I access ftp://ftp.isc.org/ ?

    Mike Easter, Mar 14, 2007, in forum: Computer Support
    Replies:
    10
    Views:
    833
    Vanguard
    Mar 15, 2007
  3. Replies:
    1
    Views:
    449
    Lutz Donnerhacke
    Sep 13, 2007
  4. Tony Neville
    Replies:
    7
    Views:
    1,591
    steve
    Sep 22, 2006
  5. Replies:
    7
    Views:
    3,874
Loading...

Share This Page