ftps through ASA 5520

Unanswered Question
Apr 17th, 2007

I am having issues trying to allow inbound ftps connections on the outside interface. I have an access-list allowing tcp/990 as well as tcp/989 (ftps-data.) I can actually establish a connection however files and folders do not show up. When I view the server logs I can see that it is unable to open a port for data, it appears to be a random high port number. I have tried to create a policy/class map to match traffic to TCP/990 and 'inspect ftp' as the action. However I was reading online that this will not work since it is encrytped traffic the ASA will not see it as ftp. I am currently also trying to determine if I can set static data ports on the server and just allow that traffic. On a side note sftp works fine. Thanks.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
vijayasankar Thu, 04/19/2007 - 04:08

Hi Prince,

This is typical issue with FTPS.

In plain FTP, the firewall can inspect the control channel and hence it knows the port details of the data channel that is going to get established from the ftp server to the client.

This will enable the firewall to automatically open the data channel ports.

In FTPS, even the control channel traffic is encrypted, so the firewall can no longer inspect the details exchanged over the control port and hence the data channel connection attempt will fail.

For this to work.

Create rules in your firewall as follows

1) Allow Any to FTPS server on port 990.

2) Allow FTPS Server port 989 to any.

This should allow the data channel tcp session to get established.

Let us know if this resolves your issue.

-VJ

dprincects Wed, 04/25/2007 - 04:10

Thanks for your reply.

I did try to open this port as I read that this port was assigned to ftps-data, however this did not resolve my issue. I am not familiar with the FTP Daemon software that my company is using and am currently investigating to see if they have redirected the ftps-data traffic to a high port/range. Again thank you for your help.

Dan

vijayasankar Wed, 04/25/2007 - 07:58

Hi Dan,

Thanks for the update.

Do let us know your observation on this.

-VJ

Actions

This Discussion