JORGE RODRIGUEZ Sat, 12/08/2007 - 13:33

Hi Elliot, were you aware of sftp not supported in pix, refer to this Q&A document for the sftp support through firewall, you may also wannt to do forum search or google Firewalls in generals and sftp support to see how others have done it as I have seen many threads on this.


http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_qanda_item09186a0080094874.shtml



HTH

Jorge


rmwhite59 Sat, 12/08/2007 - 15:06

Jorge,

I the sftp not supported in all cisco security appliances, i.e. ASA


Thanks.


Raymond

JORGE RODRIGUEZ Sun, 12/09/2007 - 09:10

Hi Raymond, sorry for calling Elliot! on your question on asa it is not about that but I think it is about the mechanism of sftp/ftps and ftp and how firewall handles ports and inspection and this seems to be the common denominator on sftp, doing some brief reading there seems to be two ways for ftp dat security .. the sftp and ftp over ssh, you may be able to get ftp over ssh implemented on pix but the only way to find out is by implementing it to see if it does work.. you may need to look into an ftp client that suports secure ftp.. like global scape.. here is a link , http://www.cuteftp.com/cuteftppro

forms of securre ftp

http://www.process.com/tcpip/sft.pdf


You could start with somthing like this, say we have the following :


Local FTP server in DMZ: 172.16.1.1

Public NAT for FTP server 10.20.20.20



static (dmz,outside) 10.20.20.20 172.16.1.1 netmask 255.255.255.255

access-list outside_access_in permit tcp any host 10.20.20.20 eq 21

access-list outside_access_in permit tcp any host 10.20.20.20 eq 20

access-list outside_access_in permit tcp any host 10.20.20.20 eq 22

access-group outside_access_in in interface outside


let me know how this works if suitable, and if you decide to implement you may want to turn on fw syslog or setup syslog to see the traffic in the event it fails.


HTH

Jorge


pls rate any helpful post if it helps!

rmwhite59 Sun, 12/09/2007 - 11:09

Jorge,

I have attached my config. The public ip for the ftp server is xx.xxx.xxx.51 Here is what I added which did not work. It also shut down traffic to the inside network from the outside.


static (dmz,outside) 66.xxx.xxx.51 172.16.1.10 netmask 255.255.255.255

access-list outside_access_in permit tcp any host 172.16.1.10 eq 21 access-list outside_access_in permit tcp any host 172.16.1.10 eq 20

access-list outside_access_in permit tcp any host 172.16.1.10 eq 22

access-group outside_access_in in interface outside


Any help would be appreciated



Attachment: 
JORGE RODRIGUEZ Sun, 12/09/2007 - 12:24

Before looking at config, what type of FTP server are you using e.g. Microsoft IIS or 3rd party ftp server if 3rd what type.?

JORGE RODRIGUEZ Sun, 12/09/2007 - 13:48

You are using outside interface IP as suppose to spare public IP I thought you had spare pub ip, did you added in your current incoming acl, as well as static nat as bellow? to be on the same page this is for ftp over SSH which Jscale supports based on docs.. as long you allow passive mode on ftp this should work.


static(dmz,outside) tcp interface 20 172.16.1.X 20 netmask 255.255.255.255

static(dmz,outside) tcp interface 21 172.16.1.X 21 netmask 255.255.255.255

static(dmz,outside) tcp interface 22 172.16.1.X 22 netmask 255.255.255.255


where X is your ftp server in DMZ subnet.


access-list incoming permit tcp any host xx.xxx.xxx.53 eq 20

access-list incoming permit tcp any host xx.xxx.xxx.53 eq 21

access-list incoming permit tcp any host xx.xxx.xxx.53 eq 22


access-group incoming in interface outside



rmwhite59 Sun, 12/09/2007 - 14:25

Outside interface ip is xx.xxx.xxx.53

spare public ip is xx.xxx.xxx.51

xx.xxx.xxx.51 is the public address used for the ftp server in the dmz


Thanks,


Raymond


JORGE RODRIGUEZ Sun, 12/09/2007 - 15:33

ok , then your above static is correct but add additional three lines to "incoming" acl


static (dmz,outside) 66.xxx.xxx.51 172.16.1.10 netmask 255.255.255.255


access-list incoming permit tcp any host xx.xxx.xxx.51 eq 20

access-list incoming permit tcp any host xx.xxx.xxx.51 eq 21

access-list incoming permit tcp any host xx.xxx.xxx.51 eq 22

access-group incoming in interface outside


also make sure the ftp server in dmz is

indeed listening on those ports,by testing

from an outside source with a telnet test as bellow example.


e.g

c:\telnet 66.xxx.xxx.51 20 ... and do the same for 21 and 22 if get black screen on each of telnet test means you are hitting the server in dmz on each of those ports.. then test ftps.



Actions

This Discussion