Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5217
Views
0
Helpful
10
Replies

Configuring FTP on port 990

jjcomp
Level 1
Level 1

‎05-25-2012 11:45 PM - edited ‎03-07-2019 06:55 AM

I currently have a Cisco 891 running with a FTP running on port 21. I currently have the NAT from external IP to and internal IP 192.168.12.6 for port 21. And the firewall allowing that traffic through and client software is working fine. However I need this FTP to be running on port 990 and anytime I change the NAT and the firewall, the external FTP clients connect but then drop when recieving the directory listing.

Any help would be greatly appreciated!

Sent from Cisco Technical Support iPad App

Labels:
0 Helpful
10 Replies 10

hobbe
Level 7
Level 7

‎05-25-2012 11:56 PM

Hi

The reason for this is because FTP is not a very good protocol so this is a design flaw with the way ftp works in itself.

When you send data to and from a ftp server you open up ports that are not in the initial channel ie port 21.

to know what those ports are and to prepare the firewalls along the way of the connection all the firewalls (ie your router) need to inspect the ftp traffic ie look into the ftp stream and check what ports the connection wants to open and prepare access-lists and nat and som other things for those ports.

This is normally done on port 21, and as long as you do not change that it will work since it know that it should look out for that info on port 21. ie open all packets and check for the specific information it needs to know, "by default". 

No you want to change that to port 990, the firewall does not open the packets and inspect them and since it does not do that it does not open the data channel since it does not know there even is a data channel so that you can transfer files or information and the whole thing fails.

Now you know the background of why it fails.

So what can you do about it ?

you can either state "ok fine i will live with a crappy protocol that will have problems with firewalls (firewall unfriendly) and does nothing to protect me and sends things in clear text including login and passwords.

So I will there for change my ip inspect information to make it work on port 990 instead of 21."

OR

you can state "I will choose a better protocol to transfer my files, a protocol that protects my information by encryption and provides alot more security and is firewall friendly such as SFTP"

a word of advice, dont get it mixed up with ftps, that is one screwed protocol.

good luck

HTH

0 Helpful

jjcomp
Level 1
Level 1
In response to hobbe

‎05-26-2012 12:19 AM

In this case I don't have a choice to the protocol. It is a proprietary system that is using the FTP protocol. I just need to get the translation working.

Sent from Cisco Technical Support iPad App

0 Helpful

hobbe
Level 7
Level 7
In response to jjcomp

‎05-26-2012 01:17 AM

ok

what is your config like today ?

0 Helpful

jjcomp
Level 1
Level 1
In response to hobbe

‎05-26-2012 02:37 AM

Building configuration...

Current configuration : 11716 bytes

!

! Last configuration change at 22:14:11 PCTime Wed May 23 2012 by XXXXX

! NVRAM config last updated at 23:15:29 PCTime Wed May 23 2012 by XXXXX

!

version 15.0

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service udp-small-servers

service tcp-small-servers

service sequence-numbers

!

hostname yourname

!

boot-start-marker

boot-end-marker

!

security authentication failure rate 3 log

security passwords min-length 6

logging buffered 51200

logging console critical

enable secret 5 X

!

no aaa new-model

!

!

!

clock timezone PCTime -5

clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00

service-module wlan-ap 0 bootimage autonomous

!

crypto pki trustpoint TP-self-signed-X

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-X

revocation-check none

rsakeypair TP-self-signed-X

!

!

crypto pki certificate chain TP-self-signed-X

certificate self-signed 01

X

quit

ip source-route

ip gratuitous-arps

!

!

ip dhcp excluded-address 192.168.12.1 192.168.12.199

ip dhcp excluded-address 192.168.12.254

!

ip dhcp pool ccp-pool1

import all

network 192.168.12.0 255.255.255.0

default-router 192.168.12.1

dns-server 192.168.12.1

!

!

ip cef

ip domain name yourdomain.com

ip name-server 208.67.222.222

ip name-server 208.67.220.220

ip port-map user-protocol--1 port tcp 2080

no ipv6 cef

!

!

multilink bundle-name authenticated

parameter-map type protocol-info yahoo-servers

server name scs.msg.yahoo.com

server name scsa.msg.yahoo.com

server name scsb.msg.yahoo.com

server name scsc.msg.yahoo.com

server name scsd.msg.yahoo.com

server name cs16.msg.dcn.yahoo.com

server name cs19.msg.dcn.yahoo.com

server name cs42.msg.dcn.yahoo.com

server name cs53.msg.dcn.yahoo.com

server name cs54.msg.dcn.yahoo.com

server name ads1.vip.scd.yahoo.com

server name radio1.launch.vip.dal.yahoo.com

server name in1.msg.vip.re2.yahoo.com

server name data1.my.vip.sc5.yahoo.com

server name address1.pim.vip.mud.yahoo.com

server name edit.messenger.yahoo.com

server name messenger.yahoo.com

server name http.pager.yahoo.com

server name privacy.yahoo.com

server name csa.yahoo.com

server name csb.yahoo.com

server name csc.yahoo.com

parameter-map type protocol-info aol-servers

server name login.oscar.aol.com

server name toc.oscar.aol.com

server name oam-d09a.blue.aol.com

parameter-map type protocol-info msn-servers

server name messenger.hotmail.com

server name gateway.messenger.hotmail.com

server name webmessenger.msn.com

license udi pid CISCO891W-AGN-A-K9 sn FTX1530806W

!

!

username XXXXX privilege 15 secret 5 X

!

!

ip finger

ip tcp synwait-time 10

ip ssh time-out 60

ip ssh authentication-retries 2

!

class-map type inspect match-any ccp-cls-protocol-p2p

match protocol edonkey signature

match protocol gnutella signature

match protocol kazaa2 signature

match protocol fasttrack signature

match protocol bittorrent signature

class-map type inspect match-all sdm-nat-user-protocol--1-1

match access-group 102

match protocol user-protocol--1

class-map type inspect match-any ccp-skinny-inspect

match protocol skinny

class-map type inspect match-any ccp-cls-insp-traffic

match protocol cuseeme

match protocol dns

match protocol ftp

match protocol https

match protocol icmp

match protocol imap

match protocol pop3

match protocol netshow

match protocol shell

match protocol realmedia

match protocol rtsp

match protocol smtp

match protocol sql-net

match protocol streamworks

match protocol tftp

match protocol vdolive

match protocol tcp

match protocol udp

class-map type inspect match-all ccp-insp-traffic

match class-map ccp-cls-insp-traffic

class-map type inspect match-any ccp-h323nxg-inspect

match protocol h323-nxg

class-map type inspect match-any ccp-cls-icmp-access

match protocol icmp

match protocol tcp

match protocol udp

class-map type inspect match-any ccp-cls-protocol-im

match protocol ymsgr yahoo-servers

match protocol msnmsgr msn-servers

match protocol aol aol-servers

class-map type inspect match-any ccp-h225ras-inspect

match protocol h225ras

class-map type inspect match-any ccp-h323annexe-inspect

match protocol h323-annexe

class-map type inspect match-any ccp-h323-inspect

match protocol h323

class-map type inspect match-all ccp-invalid-src

match access-group 100

class-map type inspect match-all ccp-icmp-access

match class-map ccp-cls-icmp-access

class-map type inspect match-any ccp-sip-inspect

match protocol sip

class-map type inspect match-all ccp-protocol-http

match protocol http

class-map type inspect match-all sdm-nat-ftp-1

match access-group 101

match protocol ftp

!

!

policy-map type inspect ccp-permit-icmpreply

class type inspect ccp-icmp-access

inspect

class class-default

pass

policy-map type inspect sdm-pol-NATOutsideToInside-1

class type inspect sdm-nat-ftp-1

inspect

class type inspect sdm-nat-user-protocol--1-1

inspect

class class-default

drop

policy-map type inspect ccp-inspect

class type inspect ccp-invalid-src

drop log

class type inspect ccp-protocol-http

inspect

class type inspect ccp-insp-traffic

inspect

class type inspect ccp-sip-inspect

inspect

class type inspect ccp-h323-inspect

inspect

class type inspect ccp-h323annexe-inspect

inspect

class type inspect ccp-h225ras-inspect

inspect

class type inspect ccp-h323nxg-inspect

inspect

class type inspect ccp-skinny-inspect

inspect

class class-default

drop

policy-map type inspect ccp-permit

class class-default

drop

!

zone security out-zone

zone security in-zone

zone-pair security ccp-zp-out-self source out-zone destination self

service-policy type inspect ccp-permit

zone-pair security ccp-zp-in-out source in-zone destination out-zone

service-policy type inspect ccp-inspect

zone-pair security ccp-zp-self-out source self destination out-zone

service-policy type inspect ccp-permit-icmpreply

zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone

service-policy type inspect sdm-pol-NATOutsideToInside-1

!

!

!

!

!

!

!

interface FastEthernet0

!

!

interface FastEthernet1

!

!

interface FastEthernet2

!

!

interface FastEthernet3

!

!

interface FastEthernet4

!

!

interface FastEthernet5

!

!

interface FastEthernet6

!

!

interface FastEthernet7

!

!

interface FastEthernet8

description $ES_WAN$$ETH-WAN$$FW_OUTSIDE$

ip address X.X.X.X 255.255.255.240

ip mask-reply

ip directed-broadcast

ip flow ingress

ip nat outside

ip virtual-reassembly

zone-member security out-zone

duplex auto

speed auto

!

!

interface GigabitEthernet0

no ip address

ip mask-reply

ip directed-broadcast

ip flow ingress

shutdown

duplex auto

speed auto

!

!

interface wlan-ap0

description Service module interface to manage the embedded AP

ip unnumbered Vlan1

ip mask-reply

ip directed-broadcast

ip flow ingress

arp timeout 0

!

!

interface Wlan-GigabitEthernet0

description Internal switch interface connecting to the embedded AP

!

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-FE 1$$ES_LAN$$FW_INSIDE$

ip address 192.168.12.1 255.255.255.0

ip mask-reply

ip directed-broadcast

ip flow ingress

ip nat inside

ip virtual-reassembly

zone-member security in-zone

ip tcp adjust-mss 1452

!

!

interface Async1

no ip address

ip mask-reply

ip directed-broadcast

encapsulation slip

!

!

ip forward-protocol nd

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

!

ip dns server

ip nat inside source list 1 interface FastEthernet8 overload

ip nat inside source static tcp 192.168.12.50 2080 interface FastEthernet8 2080

ip nat inside source static tcp 192.168.12.6 21 interface FastEthernet8 21

ip route 0.0.0.0 0.0.0.0 X.X.X.X

!

logging trap debugging

access-list 1 remark INSIDE_IF=Vlan1

access-list 1 remark CCP_ACL Category=2

access-list 1 permit 192.168.12.0 0.0.0.255

access-list 100 remark CCP_ACL Category=128

access-list 100 permit ip host 255.255.255.255 any

access-list 100 permit ip 127.0.0.0 0.255.255.255 any

access-list 100 permit ip 192.168.1.0 0.0.0.255 any

access-list 100 permit ip 209.60.166.192 0.0.0.15 any

access-list 101 remark CCP_ACL Category=0

access-list 101 permit ip any host 192.168.12.6

access-list 102 remark CCP_ACL Category=0

access-list 102 permit ip any host 192.168.12.50

no cdp run

!

!

!

!

!

!

control-plane

!

!

banner exec ^CCCC

% Password expiration warning.

-

Cisco Configuration Professional (Cisco CP) is installed on this device

and it provides the default username "cisco" for one-time use. If you have

already used the username "cisco" to login to the router and your IOS image

supports the "one-time" user option, then this username has already expired.

You will not be able to login to the router with this username after you exit

this session.

It is strongly suggested that you create a new username with a privilege level

of 15 using the following command.

username with the username and password you want to

use.

-

^C

banner login ^CCCCAuthorized access only!

Disconnect IMMEDIATELY if you are not an authorized user!^C

!

line con 0

login local

transport output telnet

line 1

modem InOut

stopbits 1

speed 115200

flowcontrol hardware

line 2

no activation-character

no exec

transport preferred none

transport input all

transport output pad telnet rlogin udptn ssh

line aux 0

login local

transport output telnet

line vty 0 4

privilege level 15

login local

transport input telnet ssh

line vty 5 15

privilege level 15

login local

transport input telnet ssh

!

scheduler max-task-time 5000

scheduler allocate 4000 1000

scheduler interval 500

end

Sent from Cisco Technical Support iPad App

0 Helpful

hobbe
Level 7
Level 7
In response to jjcomp

‎05-27-2012 01:46 AM

ok

sorry for the delay in my answer.

I have taken a look at it and I can not find the PAM part where you tell the router to look for the FTP packets on port 990.

it should be something like

ip port-map ftp port tcp 990

and it has to be hit by the packets before any other matching port-map (ie tcp) other wise it will not fire.

I am not that familliar with zbf so I have a bit of a hard time reading the config.

HTH

0 Helpful

jjcomp
Level 1
Level 1
In response to hobbe

‎05-27-2012 05:27 AM

The config I posted was the one that is currently working for port 21, when I need it on port 990.

I've tried the following:

ip port-map ftp port 990 list 10

ip nat inside source static tcp 192.168.12.6 990 interface FastEthernet8 990

access-list 10 permit 192.168.12.6

But this didn't work..... Now it was after the statement: ip port-map user-protocol--1 port tcp 2080

Which is currently working for a different service. Would this stop it? And if so, by putting: ip port-map ftp port 990 list 10, before it, would it then stop working? I can't take that service down...

Again, all help is appreciated.....

Sent from Cisco Technical Support iPad App

0 Helpful

bagganitin
Level 1
Level 1
In response to jjcomp

‎05-28-2012 01:00 PM

can u try this

ip nat inside source static tcp 192.168.12.6  23   x.x.x.x  990

when u will ftp at x.x.x.x ip address port 990, it should divert the traffic to ip 192.168.12.6 port 23.

0 Helpful

jjcomp
Level 1
Level 1
In response to jjcomp

‎05-28-2012 04:17 PM

Nitin,

I tried that same thing today but back to port 21 instead of 23.  Got the same results.  Is there something significant about port 23?

0 Helpful

bagganitin
Level 1
Level 1
In response to jjcomp

‎05-29-2012 11:21 AM

Hi Jason,

I made a little mistake  in cofiguration....See the correct one below.

ip nat inside source static tcp 192.168.12.6  21   x.x.x.x  990

when u will ftp at x.x.x.x ip address port 990, it should divert the traffic to ip 192.168.12.6 port 21.

Revert for any clarifications.

0 Helpful

jjcomp
Level 1
Level 1
In response to bagganitin

‎05-30-2012 01:39 AM

Nitin,

Tried it and no luck....

I have also tried the ip port-map and ip nat service concepts....  also no luck....  Using ip port-map I can get a connection to the server, but then it drops when it does the pass off to another port.

Anyother ideas?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card