1. Home
  2. Cisco Systems
  3. change FTP port

change FTP port

How do I change my FTP port from 21 to 8888?

On the local network the FTP-server works fine with port 8888. But it can not be accessed from the internet. The FTP client logs on, byt cannot list the files. Gets the error: Transfer channel can't be opened

I think I need to redirect some extra port since I am not using port 21.

What is wrong?

There is my conf om my ASA5500

ASA Version 7.2(2) ! terminal width 120 hostname ASA-xx domain-name xx.local enable password CfJGq9/fxxnP.UdE encrypted names ! interface Vlan2 nameif outside security-level 0 ip address 212.xx.xx.10 255.255.255.240 ! interface Vlan7 nameif inside security-level 100 ip address 192.168.1.1 255.255.255.0 ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 switchport access vlan 2 ! interface Ethernet0/2 switchport access vlan 7 ! interface Ethernet0/3 switchport access vlan 7 ! interface Ethernet0/4 switchport access vlan 7 ! interface Ethernet0/5 switchport access vlan 7 ! interface Ethernet0/6 switchport access vlan 7 ! interface Ethernet0/7 switchport access vlan 7 ! passwd XojxZFfxx2wxqfff encrypted ftp mode passive clock timezone CEST 1 clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00 dns server-group DefaultDNS domain-name DAE.local access-list allow_inbound remark **** access-list allow_inbound extended permit tcp any interface outside eq ftp access-list allow_inbound extended permit tcp any interface outside eq 8888 access-list allow_inbound extended permit tcp any interface outside range 2048 3000 pager lines 24 logging asdm informational mtu outside 1500 mtu inside 1500 icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-522.bin no asdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 1 0.0.0.0 0.0.0.0 static (inside,outside) tcp interface ftp 192.168.1.2 ftp netmask

255.255.255.255 static (inside,outside) tcp interface 8888 192.168.1.2 8888 netmask 255.255.255.255 static (inside,outside) tcp interface ftp-data 192.168.1.2 ftp-data netmask 255.255.255.255 access-group allow_inbound in interface outside route outside 0.0.0.0 0.0.0.0 212.242.92.1 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout uauth 0:05:00 absolute http server enable http 87.48.39.154 255.255.255.255 outside http 213.150.42.2 255.255.255.255 outside http 192.168.1.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart telnet timeout 60 ssh 2xx.1x0.x2.2 255.255.255.255 outside ssh 87.x8.x9.xx4 255.255.255.255 outside ssh 192.168.1.0 255.255.255.0 inside ssh timeout 60 console timeout 60

! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp ! service-policy global_policy global prompt hostname context

Best Regards Martin

Reply to
M
Loading thread data ...

I'd rather think that this is because the ftp state machine doesn't know your port 8888. ftp is one of the most difficult protocols for a Firewall since there are two connections in a special context.

Opening port 21 implies some things for port 20 and you'd ave to do the same thing for port 8888 and maybe a second port. But I don't een know if this is possible on an ASA?

Regards

fw

Reply to
Frank Winkler

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.