topic Re: block tcp ports 21/5060/2000 FMC in Network Security https://community.cisco.com/t5/network-security/block-tcp-ports-21-5060-2000-fmc/m-p/5257133#M1119353 <P>This can be caused by the device's default ALG inspections for ftp, sccp and sip (which use the three respective ports you noted).</P> <P>It is not actually open ports that potentially allow traffic through the device but rather the inspection process completing the handshake in order to further inspect payload (which in this case doesn't exist).</P> Wed, 05 Feb 2025 13:38:02 GMT Marvin Rhoads 2025-02-05T13:38:02Z block tcp ports 21/5060/2000 FMC https://community.cisco.com/t5/network-security/block-tcp-ports-21-5060-2000-fmc/m-p/5257109#M1119349 <P>Hi Dears,</P> <P>I’ve encountered an issue with <STRONG>FTD&nbsp;&nbsp;</STRONG>managed via <STRONG>Firepower Management Center (FMC)</STRONG>, running the <STRONG>recommended version 7.4.2</STRONG></P> <H3><STRONG>Issue Details:</STRONG></H3> <UL> <LI>After performing an <STRONG>Nmap scan</STRONG> on the <STRONG>outside interface</STRONG>, we discovered that <STRONG>TCP ports 21, 2000, and 5060</STRONG> are showing as <STRONG>open</STRONG>.</LI> <LI>This behavior persists even though: <UL> <LI>There are <STRONG>no specific ACLs or NAT rules</STRONG> configured to allow these ports.</LI> <LI>We have explicitly created rules to <STRONG>deny</STRONG> these ports, but they still appear open in the scan.</LI> </UL> </LI> </UL> <H3><STRONG>Additional Observations:</STRONG></H3> <UL> <LI>This issue is <STRONG>only present</STRONG> on FTD &nbsp;managed via <STRONG>FMC</STRONG>.</LI> <LI>On FTD devices managed via <STRONG>FDM (Firepower Device Manager)</STRONG>, the same Nmap scan shows these ports as <STRONG>closed</STRONG> as expected.</LI> </UL> Wed, 05 Feb 2025 12:18:39 GMT https://community.cisco.com/t5/network-security/block-tcp-ports-21-5060-2000-fmc/m-p/5257109#M1119349 GHOZLANE Haroun 2025-02-05T12:18:39Z Re: block tcp ports 21/5060/2000 FMC https://community.cisco.com/t5/network-security/block-tcp-ports-21-5060-2000-fmc/m-p/5257133#M1119353 <P>This can be caused by the device's default ALG inspections for ftp, sccp and sip (which use the three respective ports you noted).</P> <P>It is not actually open ports that potentially allow traffic through the device but rather the inspection process completing the handshake in order to further inspect payload (which in this case doesn't exist).</P> Wed, 05 Feb 2025 13:38:02 GMT https://community.cisco.com/t5/network-security/block-tcp-ports-21-5060-2000-fmc/m-p/5257133#M1119353 Marvin Rhoads 2025-02-05T13:38:02Z