FTPS on ASA appliance

Unanswered Question
Feb 4th, 2008
User Badges:

I need to connect to FTP server over SSL, to a server that I do not have any control over. My problem is the ASA does not allow the connection because it is going over SSL and so it can not inspect the packets. Does anyone have a work around for this, I only need this to work for 1 internal client, so I thought maybe a 1:1 NAT would work but it didn't, or I didn't do it correctly. I have talked to the people that run the FTP server and all they were able to tell me is to make sure ports 20&21 and ports greater than 1024 are open to their server. Any suggestions would be apreciated. Thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
srue Mon, 02/04/2008 - 12:37
User Badges:
  • Blue, 1500 points or more

I know with some SSL FTP servers, the administrator can choose which ports above 1024 it will use. Unfortunately it doesn't sound like you're going to get that level of cooperation from them. Do the static NAT, and then just allow all those ports from that one server?

cisco24x7 Mon, 02/04/2008 - 14:20
User Badges:
  • Silver, 250 points or more

This is 2008, not 1998. FTP should be banned.

There is a very simple solution to this. Secure

Copy, scp. scp runs on as a sub-system of SSH,

and that you can encrypt your traffics with

AES256-cbc with sha-1. Make it very on the

firewall and anyone managing it. Allow

tcp port 22 on the firewall and you're set.

CCIE Security

arosenaugfmhm Mon, 02/04/2008 - 18:45
User Badges:

I agree with you 100%, however I don't have a choice. What is really irritating is the organization we are sending this data to used to have a SSL secured website you could just upload it to, but they switched back to FTP over SSL, because they "claimed" it was more secure. I am going to try the static NAT and will let you know what happens.

arosenaugfmhm Tue, 02/05/2008 - 07:02
User Badges:

Ok so I tried the following and it didn't work. I admit I probably did something wrong.

static (inside, outside) netmask

access-list ftps extended permit ip host host

And then I applied it to the outside interface

access-group ftps in interface outside

Let me know what I did wrong. Thanks


This Discussion