FTPES through ASA5505

Unanswered Question
Jan 23rd, 2009

MY ASA5505 is blocking the secure traffic to an FTP server. Standard FTP is fine. What am I missing?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
cisco24x7 Fri, 01/23/2009 - 08:26

How do you define "secure traffic"? Secure FTP (sFTP) or Secure Copy (scp). If that is the

case, open tcp port 22 on the firewall.

If you're using sFTP on Linux/Unix, you may

have to edit the sshd_config file to make this

happen.

onechipit Fri, 01/23/2009 - 08:55

sFTP. I have tried opening ports 22,23 & 24 - no luck.

It is a linux server - which when I connect independently of the ASA works OK in both FTP & sFTP. When connected through the ASA FTP packets in clear0 is OK but sFTP (encrypted packets) are blocked.

onechipit Fri, 01/23/2009 - 13:47

access-list INBOUND-ALLOW extended permit tcp any host 216.191.22.196 eq www log

access-list INBOUND-ALLOW extended permit tcp any host 216.191.22.196 eq https log

access-list INBOUND-ALLOW extended permit tcp any host 216.191.22.196 eq 3389 log

access-list INBOUND-ALLOW extended permit tcp any host 216.191.22.197 eq smtp log

access-list INBOUND-ALLOW extended permit tcp any host 216.191.22.197 eq 3389 log

access-list INBOUND-ALLOW extended permit tcp any host 216.191.22.201 eq 3389 log

access-list INBOUND-ALLOW extended permit tcp any host 216.191.22.203 eq 3389 log

access-list INBOUND-ALLOW extended permit tcp any host 216.191.22.204 eq 3389 log

access-list outbound-smtp extended permit tcp host 10.20.0.12 any eq smtp

access-list no_nat_outbound extended permit ip 10.0.0.0 255.0.0.0 10.100.0.0 255.255.0.0

access-list no_nat_outbound extended permit ip 10.0.0.0 255.0.0.0 10.80.0.0 255.255.0.0

access-list OCP_splitTunnelAcl standard permit 10.0.0.0 255.0.0.0

nat (inside) 0 access-list no_nat_outbound

nat (inside) 3 access-list outbound-smtp

nat (inside) 1 10.0.0.0 255.0.0.0

static (inside,outside) tcp 216.191.22.196 smtp 10.20.0.12 smtp netmask 255.255.255.255 dns

static (inside,outside) tcp 216.191.22.196 3389 10.20.0.12 3389 netmask 255.255.255.255 dns

static (inside,outside) tcp 216.191.22.197 smtp 10.20.0.13 smtp netmask 255.255.255.255 dns

static (inside,outside) tcp 216.191.22.197 3389 10.20.0.13 3389 netmask 255.255.255.255 dns

static (inside,outside) tcp 216.191.22.201 3389 10.20.0.17 3389 netmask 255.255.255.255 dns

static (inside,outside) tcp 216.191.22.203 3389 10.20.0.19 3389 netmask 255.255.255.255 dns

static (inside,outside) tcp 216.191.22.196 www 10.20.0.12 www netmask 255.255.255.255

static (inside,outside) tcp 216.191.22.196 https 10.20.0.12 https netmask 255.255.255.255

static (inside,outside) tcp 216.191.22.204 3389 10.60.0.20 3389 netmask 255.255.255.255

access-group INBOUND-ALLOW in interface outside

route outside 0.0.0.0 0.0.0.0 216.191.22.193 1

route inside 10.0.0.0 255.0.0.0 10.10.0.1 1

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect sqlnet

inspect sunrpc

inspect tftp

cisco24x7 Fri, 01/23/2009 - 14:06

static (inside,outside) tcp 216.191.22.196 22 10.20.0.20 22 22 netmask 255.255.255.255

access-list INBOUND-ALLOW extended permit tcp any host 216.191.22.196 eq 22 log

I assume that 10.20.0.20 is the IP address of the linux server.

onechipit Mon, 01/26/2009 - 08:58

is this for sFTP, we are tring to get FTPES working ? would that be different ?

I believe the issue is, as it stands now because it is a passive connection so it is coming in on port 21 then when it is asked to open up a data channel on another port it fails. Most firewalls will inspect the first packets that come in and dynamically open the data port but since it is encrypted it cannot do this. I can specify the data ports that FTP is allowed opening but it is still not getting though, the firewall must be doing more inspection of these packets and denying them.

Actions

This Discussion