ftp and sftp through pix 501 with attachment

Unanswered Question
Feb 18th, 2008

Hi All,

I am having problems porting ftp and sftp through a PIX 501 v6.3. Attached is my configuration, if any one has any input I would appreciate it.

Thanks, - Ed

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
abinjola Mon, 02/18/2008 - 21:33

SFTP doesn't work with static port redirection, you need a free public ip, map it to ftp server and open ports on the outside access-list

cisco24x7 Tue, 02/19/2008 - 05:19

"SFTP doesn't work with static port redirection, you

need a free public ip, map it to ftp server and

open ports on the outside access-list"

Say what? Are you aware that SFTP is a

sub-component of SSH? If what you say is true,

how do you explain this:

interface F0/0

ip address 129.174.1.13 255.255.255.240

ip nat outside

interface F0/1

ip address 192.168.15.10 255.255.255.0

ip nat inside

ip nat inside source static tcp 192.168.15.10 22 interface FastEthernet0/0 22

Nokia-1-P[admin]# sftp -v [email protected]

Connecting to 129.174.1.13...

OpenSSH_3.1p1, SSH protocols 1.5/2.0, OpenSSL 0x0090604f

debug1: Rhosts Authentication disabled, originating port will not be trusted.

debug1: restore_uid

debug1: ssh_connect: getuid 0 geteuid 0 anon 1

debug1: Connecting to 129.174.1.13 [129.174.1.13] port 22.

debug1: temporarily_use_uid: 0/0 (e=0)

debug1: restore_uid

debug1: temporarily_use_uid: 0/0 (e=0)

debug1: restore_uid

debug1: Connection established.

debug1: read PEM private key done: type DSA

debug1: read PEM private key done: type RSA

debug1: identity file /var/emhome/admin/.ssh/id_rsa type -1

debug1: identity file /var/emhome/admin/.ssh/id_dsa type -1

debug1: Remote protocol version 1.99, remote software version OpenSSH_3.6.1p2

debug1: match: OpenSSH_3.6.1p2 pat OpenSSH*

Enabling compatibility mode for protocol 2.0

debug1: Local version string SSH-2.0-OpenSSH_3.1p1

debug1: SSH2_MSG_KEXINIT sent

debug1: SSH2_MSG_KEXINIT received

debug1: kex: server->client aes128-cbc hmac-sha1 none

debug1: kex: client->server aes128-cbc hmac-sha1 none

debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent

debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP

debug1: dh_gen_key: priv key bits set: 160/320

debug1: bits set: 1625/3191

debug1: SSH2_MSG_KEX_DH_GEX_INIT sent

debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY

debug1: Host '129.174.1.13' is known and matches the RSA host key.

debug1: Found key in /var/emhome/admin/.ssh/known_hosts:11

debug1: bits set: 1595/3191

debug1: ssh_rsa_verify: signature correct

debug1: kex_derive_keys

debug1: newkeys: mode 1

debug1: SSH2_MSG_NEWKEYS sent

debug1: waiting for SSH2_MSG_NEWKEYS

debug1: newkeys: mode 0

debug1: SSH2_MSG_NEWKEYS received

debug1: done: ssh_kex2.

debug1: send SSH2_MSG_SERVICE_REQUEST

debug1: service_accept: ssh-userauth

debug1: got SSH2_MSG_SERVICE_ACCEPT

debug1: authentications that can continue: publickey,password,keyboard-interactive

debug1: next auth method to try is publickey

debug1: try privkey: /var/emhome/admin/.ssh/id_rsa

debug1: try privkey: /var/emhome/admin/.ssh/id_dsa

debug1: next auth method to try is keyboard-interactive

debug1: authentications that can continue: publickey,password,keyboard-interactive

debug1: next auth method to try is password

[email protected]'s password:

debug1: packet_send2: adding 64 (len 58 padlen 6 extra_pad 64)

debug1: ssh-userauth2 successful: method password

debug1: fd 4 setting O_NONBLOCK

debug1: channel 0: new [client-session]

debug1: send channel open 0

debug1: Entering interactive session.

debug1: ssh_session2_setup: id 0

debug1: Sending subsystem: sftp

debug1: channel request 0: subsystem

debug1: channel 0: open confirm rwindow 0 rmax 32768

sftp> cd /tmp

sftp> ls

drwxrwxrwt 7 root root 12288 Feb 19 09:30 .

drwxr-xr-x 23 root root 4096 Feb 13 10:45 ..

drwxrwxrwt 2 root root 4096 Feb 13 10:45 .X11-unix

drwxrwxrwx 2 bin bin 4096 Feb 13 10:48 .iroha_unix

sftp> exit

Nokia-1-P[admin]#

CCIE Security

ed-rucker Tue, 02/19/2008 - 05:39

Thanks but i think that is FTPS or FTP over SSL.

When I indicate SFTP I mean SSH FTP which travels in and out on one port, usually 22. I have this working now, it turned out to be a problem with the SFTP server.

The simple FTP connection is still acting up however, it will connect but won't list directory's.

abinjola Tue, 02/19/2008 - 05:58

well I meant FTP over SSL doesn't work over PAT, for FTP over SSH it should work

Is Fixup ftp turned on ?

What kind of FTP connection is this Active/passive,

I would like to try this ftp using "core FTP client" download it from google

By any chance do have logs with you ..

Actions

This Discussion