https://community.cisco.com/t5/network-security/getting-illegal-port-error-while-trying-to-access-outside-ftp/m-p/718050#M1005710 <HTML><HEAD></HEAD><BODY><P>nothing serius, but for ex.</P><P>mtu inside 1500</P><P>mtu outside 1500</P><P>mtu vengra 1500</P><P></P><P>its not really needed </P><P></P><P>PS. When you do changes on the the natting do a clear xlate and it to changes make effect ! </P><P></P><P>cya </P><P></P><P></P></BODY></HTML> Mon, 30 Apr 2007 20:54:15 GMT Rodrigo Gurriti 2007-04-30T20:54:15Z https://community.cisco.com/t5/network-security/getting-illegal-port-error-while-trying-to-access-outside-ftp/m-p/718045#M1005689 <P>I just setup a ASA 5505...the last issue I have is I can't access FTP on the outside network.</P><P></P><P>Please see config attached.</P><P></P><P>Thanks.</P><P></P><P> </P><P></P> Mon, 11 Mar 2019 10:06:31 GMT https://community.cisco.com/t5/network-security/getting-illegal-port-error-while-trying-to-access-outside-ftp/m-p/718045#M1005689 slaider76 2019-03-11T10:06:31Z https://community.cisco.com/t5/network-security/getting-illegal-port-error-while-trying-to-access-outside-ftp/m-p/718046#M1005698 <HTML><HEAD></HEAD><BODY><P>Well you got a few weird thinks on this config </P><P></P><P>1 your global (outside) 1 has a wrong net mask</P><P>2 you have no interface specified for inside but you have a nat (inside) </P><P>3 you dont need these access lists vengra_access_in and vengra_access_out</P><P></P><P>when you do nat it allow any thing from a high secure interface ( your int vengra ) to any interface to lower security interface( outside) </P><P></P><P>Well I saw a couple more weird options but any ways I'll tell you why you cannot access ftp </P><P></P><P>you need a police inspection </P><P></P><P>just type this as I have here. </P><P></P><P></P><P>class-map inspection_default</P><P> match default-inspection-traffic</P><P>policy-map type inspect dns preset_dns_map</P><P> parameters</P><P> message-length maximum 512</P><P>policy-map global_policy</P><P> class inspection_default</P><P> inspect dns preset_dns_map</P><P> inspect ftp</P><P> inspect h323 h225</P><P> inspect h323 ras</P><P> inspect rsh</P><P> inspect rtsp</P><P> inspect esmtp</P><P> inspect sqlnet</P><P> inspect skinny</P><P> inspect sunrpc</P><P> inspect xdmcp</P><P> inspect sip</P><P> inspect netbios</P><P> inspect tftp</P><P> inspect http</P><P></P><P>service-policy global_policy global</P><P></P><P></P><P>This is the default police inspection for the ASA I don't recommend you remove, you may want to twicke it a little be but I would not take it out </P><P></P><P></P><P>to get more information on ftp go to <A class="jive-link-custom" href="http://slacksite.com/other/ftp.html" target="_blank">http://slacksite.com/other/ftp.html</A></P><P></P><P>and I also recommend you take a look on types of firewall - packet filter, proxy filter and Stateful Packet Filter</P><P></P><P></P><P>Pixes and ASA's are Stateful Packet Filters</P><P></P></BODY></HTML> Sun, 29 Apr 2007 20:28:33 GMT https://community.cisco.com/t5/network-security/getting-illegal-port-error-while-trying-to-access-outside-ftp/m-p/718046#M1005698 Rodrigo Gurriti 2007-04-29T20:28:33Z https://community.cisco.com/t5/network-security/getting-illegal-port-error-while-trying-to-access-outside-ftp/m-p/718047#M1005702 <HTML><HEAD></HEAD><BODY><P>Thanks. What are the other weird options you see?</P></BODY></HTML> Mon, 30 Apr 2007 12:49:43 GMT https://community.cisco.com/t5/network-security/getting-illegal-port-error-while-trying-to-access-outside-ftp/m-p/718047#M1005702 slaider76 2007-04-30T12:49:43Z https://community.cisco.com/t5/network-security/getting-illegal-port-error-while-trying-to-access-outside-ftp/m-p/718048#M1005707 <HTML><HEAD></HEAD><BODY><P>Well, I added what you specified and it still does not seem to work...also when I remove the vengra access list I can't get to the outside.</P><P></P><P>Using the GUI when I specify the global pool it says the netmask is optional. I did not specify and I guess what you see is what it put for a default...what do you recommend?</P><P></P><P>Thanks</P><P></P><P>Edit:</P><P></P><P>Apparently it did not keep what I put in...I saw it...I rebooted the appliance and it must have erased it...? I entered it throught the GUI command line interface...I will try again.</P></BODY></HTML> Mon, 30 Apr 2007 13:58:41 GMT https://community.cisco.com/t5/network-security/getting-illegal-port-error-while-trying-to-access-outside-ftp/m-p/718048#M1005707 slaider76 2007-04-30T13:58:41Z https://community.cisco.com/t5/network-security/getting-illegal-port-error-while-trying-to-access-outside-ftp/m-p/718049#M1005709 <HTML><HEAD></HEAD><BODY><P>I re-entered and saved and it works.</P></BODY></HTML> Mon, 30 Apr 2007 15:05:22 GMT https://community.cisco.com/t5/network-security/getting-illegal-port-error-while-trying-to-access-outside-ftp/m-p/718049#M1005709 slaider76 2007-04-30T15:05:22Z https://community.cisco.com/t5/network-security/getting-illegal-port-error-while-trying-to-access-outside-ftp/m-p/718050#M1005710 <HTML><HEAD></HEAD><BODY><P>nothing serius, but for ex.</P><P>mtu inside 1500</P><P>mtu outside 1500</P><P>mtu vengra 1500</P><P></P><P>its not really needed </P><P></P><P>PS. When you do changes on the the natting do a clear xlate and it to changes make effect ! </P><P></P><P>cya </P><P></P><P></P></BODY></HTML> Mon, 30 Apr 2007 20:54:15 GMT https://community.cisco.com/t5/network-security/getting-illegal-port-error-while-trying-to-access-outside-ftp/m-p/718050#M1005710 Rodrigo Gurriti 2007-04-30T20:54:15Z