Opening ports Cisco 887

[Rondog]

I cannot seem to open port 24 on my ADSL router. As far as I can tell it is setup exactly the same as the other ports but I cannot access it for some reason. Could someone please shed some light on this.

Code:

Building configuration...

Current configuration : 10978 bytes
!
version 15.0
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname cctrouter01
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 4096
logging console critical
enable secret 5 $1$HAts$4NA/VChIXXGxat0776leF0
!
no aaa new-model
monitor event-trace cfd size 500
memory-size iomem 10
clock timezone PCTime 10
clock summer-time PCTime date Mar 30 2003 3:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-241047421
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-241047421
 revocation-check none
 rsakeypair TP-self-signed-241047421
!
!
crypto pki certificate chain TP-self-signed-241047421
 certificate self-signed 01
  30820253 308201BC A0030201 02020101 300D0609 2A864886 F70D0101 04050030 
  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274 
  69666963 6174652D 32343130 34373432 31301E17 0D313031 31323530 38333434 
  395A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F 
  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3234 31303437 
  34323130 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100 
  C20113F9 B87A578D D057ACB5 8CE4F7F4 565CDD10 1D75F92F F38A361E 8AB38541 
  BD9B4E09 FE963016 CB6CB9DF 3F141B23 17CB45E0 02A29ECB F90D221C 1FF28B54 
  14E0BA33 82FC186C 9BAF75C1 9BF95772 76096423 A96A74DA 8C10A228 F0A9BB09 
  F23ED346 979044B7 C636923F E21C3E2D 7BF81051 B5E144CB 4C73C353 E458F7F5 
  02030100 01A37D30 7B300F06 03551D13 0101FF04 05300301 01FF3028 0603551D 
  11042130 1F821D63 6374726F 75746572 30312E63 63746265 6E646967 6F2E636F 
  6D2E6175 301F0603 551D2304 18301680 14ECEF93 BCB01AE3 7D3199C8 08F43D02 
  E203159B 1F301D06 03551D0E 04160414 ECEF93BC B01AE37D 3199C808 F43D02E2 
  03159B1F 300D0609 2A864886 F70D0101 04050003 81810055 C8EA79A8 D4AD9E98 
  5396E803 D01120E8 4B16AC24 37EE7B51 9378226B 0E9D9D72 401228F7 23C6FE40 
  1B7BC90B E97B5ED4 D93A5E0A 96F28AA3 F9014BDE 28957A92 CA700443 01D13164 
  9F86C7F8 78C247EE F0F6D9D1 50713233 AB2DA4FD 854B3C91 BBD19C13 8DD228B9 
  A6F4D77D BE462189 935D922C 08A4CE21 19F46088 79042E
  	quit
no ip source-route
!
!
!
!
ip cef
no ip bootp server
ip domain name cc********.com.au
ip name-server 192.168.1.4
ip port-map user-utorrent port tcp 8456
ip port-map user-kaseya port tcp 5721
ip port-map user-ftp24 port tcp 24
ip port-map user-rdp port tcp 3389
ip inspect log drop-pkt
no ipv6 cef
!
!
license udi pid CISCO887-K9 sn FHK1234879H9
!
!
username cct privilege 15 secret 5 $1$iVMt$YzdfgDFG8BPHX5mf8.
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
class-map type inspect match-any ftp24
 match protocol user-ftp24
class-map type inspect match-all sdm-cls-sdm-pol-NATOutsideToInside-1-5
 match class-map ftp24
 match access-group name ftp24
class-map type inspect match-any FTP
 match protocol ftp
class-map type inspect match-all sdm-cls-sdm-pol-NATOutsideToInside-1-4
 match class-map FTP
 match access-group name FTP
class-map type inspect match-any utorrent
 match protocol user-utorrent
class-map type inspect match-all sdm-cls-sdm-pol-NATOutsideToInside-1-3
 match class-map utorrent
 match access-group name utorrent
class-map type inspect match-all sdm-nat-http-1
 match access-group 102
 match protocol http
class-map type inspect match-any rdp
 match protocol user-rdp
class-map type inspect match-all sdm-cls-sdm-pol-NATOutsideToInside-1-2
 match class-map rdp
 match access-group name rdp
class-map type inspect match-any Kaseya
 match protocol user-kaseya
class-map type inspect match-all sdm-cls-sdm-pol-NATOutsideToInside-1-1
 match class-map Kaseya
 match access-group name Kaseya
class-map type inspect match-all sdm-nat-smtp-1
 match access-group 103
 match protocol smtp
class-map type inspect match-any ccp-cls-insp-traffic
 match protocol cuseeme
 match protocol dns
 match protocol ftp
 match protocol h323
 match protocol https
 match protocol icmp
 match protocol imap
 match protocol pop3
 match protocol netshow
 match protocol shell
 match protocol realmedia
 match protocol rtsp
 match protocol smtp
 match protocol sql-net
 match protocol streamworks
 match protocol tftp
 match protocol vdolive
 match protocol tcp
 match protocol udp
class-map type inspect match-all ccp-insp-traffic
 match class-map ccp-cls-insp-traffic
class-map type inspect match-any ccp-cls-icmp-access
 match protocol icmp
 match protocol tcp
 match protocol udp
class-map type inspect match-all ccp-icmp-access
 match class-map ccp-cls-icmp-access
class-map type inspect match-all ccp-invalid-src
 match access-group 100
class-map type inspect match-all sdm-nat-https-1
 match access-group 101
 match protocol https
class-map type inspect match-all ccp-protocol-http
 match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
 class type inspect ccp-icmp-access
  inspect 
 class class-default
  pass
policy-map type inspect sdm-pol-NATOutsideToInside-1
 class type inspect sdm-cls-sdm-pol-NATOutsideToInside-1-5
  pass
 class type inspect sdm-cls-sdm-pol-NATOutsideToInside-1-4
  inspect 
 class type inspect sdm-cls-sdm-pol-NATOutsideToInside-1-3
  inspect 
 class type inspect sdm-cls-sdm-pol-NATOutsideToInside-1-2
  inspect 
 class type inspect sdm-cls-sdm-pol-NATOutsideToInside-1-1
  inspect 
 class type inspect sdm-nat-https-1
  inspect 
 class type inspect sdm-nat-http-1
  inspect 
 class type inspect sdm-nat-smtp-1
  inspect 
 class class-default
  drop
policy-map type inspect ccp-inspect
 class type inspect ccp-invalid-src
  drop log
 class type inspect ccp-protocol-http
  inspect 
 class type inspect ccp-insp-traffic
  inspect 
 class class-default
  drop
policy-map type inspect ccp-permit
 class class-default
  drop
!
zone security out-zone
zone security in-zone
zone-pair security ccp-zp-self-out source self destination out-zone
 service-policy type inspect ccp-permit-icmpreply
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
 service-policy type inspect sdm-pol-NATOutsideToInside-1
zone-pair security ccp-zp-in-out source in-zone destination out-zone
 service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
 service-policy type inspect ccp-permit
! 
!
!
!
!
!
!
interface BRI0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 encapsulation hdlc
 shutdown
 isdn termination multidrop
!
interface ATM0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
 description $FW_OUTSIDE$$ES_WAN$
 ip flow ingress
 pvc 8/35 
  pppoe-client dial-pool-number 1
 !
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
 ip address 192.168.1.254 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat inside
 ip virtual-reassembly
 zone-member security in-zone
 ip tcp adjust-mss 1412
!
interface Dialer0
 description $FW_OUTSIDE$
 ip address 27.xx.xx.114 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip mtu 1452
 ip flow ingress
 ip nat outside
 ip virtual-reassembly
 zone-member security out-zone
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication chap pap callin
 ppp chap hostname cc**go
 ppp chap password 7 00100345345348525A
 ppp pap sent-username cc**go password 7 10534534554F59
 no cdp enable
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 105 interface Dialer0 overload
ip nat inside source static tcp 192.168.1.4 21 27.xx.xx.114 21 extendable
ip nat inside source static tcp 192.168.1.4 24 27.xx.xx.114 24 extendable
ip nat inside source static tcp 192.168.1.4 25 27.xx.xx.114 25 extendable
ip nat inside source static tcp 192.168.1.7 80 27.xx.xx.114 80 extendable
ip nat inside source static tcp 192.168.1.4 443 27.xx.xx.114 443 extendable
ip nat inside source static tcp 192.168.1.4 3389 27.xx.xx.114 3389 extendable
ip nat inside source static udp 192.168.1.3 5060 27.xx.xx.114 5060 extendable
ip nat inside source static tcp 192.168.1.7 5721 27.xx.xx.114 5721 extendable
ip nat inside source static tcp 192.168.1.12 8456 27.xx.xx.114 8456 extendable
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip access-list extended FTP
 remark CCP_ACL Category=128
 permit ip any host 192.168.1.4
ip access-list extended Kaseya
 remark CCP_ACL Category=128
 permit ip any host 192.168.1.7
ip access-list extended ftp24
 remark CCP_ACL Category=128
 permit ip any host 192.168.1.4
ip access-list extended rdp
 remark CCP_ACL Category=128
 permit ip any host 192.168.1.4
ip access-list extended utorrent
 remark CCP_ACL Category=128
 permit ip any host 192.168.1.12
!
logging trap debugging
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 101 remark CCP_ACL Category=0
access-list 101 permit ip any host 192.168.1.4
access-list 102 remark CCP_ACL Category=0
access-list 102 permit ip any host 192.168.1.7
access-list 103 remark CCP_ACL Category=0
access-list 103 permit ip any host 192.168.1.4
access-list 105 remark CCP_ACL Category=2
access-list 105 permit ip 192.168.1.0 0.0.0.255 any
dialer-list 1 protocol ip permit
no cdp run

!
!
!
!
!
control-plane
!
banner exec ^CCCC
% Password expiration warning.
-----------------------------------------------------------------------

Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for  one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.

It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.

username <myuser> privilege 15 secret 0 <mypassword>

Replace <myuser> and <mypassword> with the username and password you
want to use.

-----------------------------------------------------------------------
^C
banner login ^CCCCAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 login local
 no modem enable
 transport output telnet
line aux 0
 login local
 transport output telnet
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

[Gizmo]

What exactly is the problem you are having? BTW, you DO realize that FTP uses <2>ports, right?

[Rondog]

I thought FTP was port 21, and I need to run a second FTP server on the one public address.

Problem I'm having I have a two FTP servers, one configured on standard port 21, and a second on port 24. Same address but one is public and one is private. What is happening is the 21 port FTP server works perfectly. Using the website Open Port Check Tool to see what ports are blocked. Port 24 still appears blocked even though I have named the port, NAT'ted it, opened it through the firewall, but still appears blocked.

Sorry for long winded response. Does this give you more details?

[Gizmo]

FTP uses ports 20 and 21.

FTP has two different modes of operation: active and passive.
In active mode (the default type), the SERVER listens on port 21 (the control channel) for an incoming request. When it receives a request, it responds using port 20 (the data channel) back to the CLIENT, using whatever port the CLIENT indicated when it sent a transfer request to port 21.
In passive mode (activated by the client sending the PASV command), the SERVER still listens on port 21 for an incoming request. When it receives one, it responds by telling the CLIENT what port to connect to. The CLIENT then connects to the designated port to finish the transfer.

Active transfer mode was the original mode. Because of how it works, it causes heartburn for firewalls and such at the client side (essentially, the firewall has to allow a connection that is initiated from OUTSIDE the firewall to access an arbitrary address and port INSIDE the firewall. For simple packet filters, this is a problem). As a result, passive FTP originated, which allows the server to tell the client to connect to an arbitrary port on the server. This means that the server has to now allow connections to arbitrary ports from the outside world.

My point in describing all of this is just this: I suspect that your line

class-match type inspect match-any FTP

May in fact be smart enough to handle the port 20/21 requirements of FTP, whereas the equivalent line for ftp24 is only handling port 24, not ports 23/24 (which is what you actually need for active FTP).

[Rondog]

Well there you. You learn something new everyday. I ended up cheating a little bit, changed the FTP so there is only one server on the default port and it has anon access, but there is a folder contained in there with usernames and passwords applied so anyone can access the first layer, but needs to login to get to any additional layer. Problem solved.

Thanks for the info though, I will have to test this at a later date.