Hello Johan, The keyword "*ftp*" is just instructing the ASA to "treat" the packets as FTP packets. Yes, by defauly FTP control packets are expected on TCP port 21. But, in this case, you are telling the ASA to expect FTP packets on port 21021 and to perform FTP inspection on those FTP packets.
If you actually go ahead and send FTP traffic on port 21021, you will notice that the ASA inspects that FTP traffic. As kings said, instead of "inspect ftp" , if you had specified "inspect http", it would not work. That's because the ASA would now be expecting HTTP traffic to arrive on port 21021, whereas you are actually sending FTP traffic. Remember, by default the ASA will look for FTP traffic in port 21. But in this case, you are instructing to ASA to treat the packets arriving on port 21021 as FTP traffic too. Please let me know if i'm addressing your doubt? Cheers, TacACK
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
