01-23-2009 08:16 AM - edited 03-11-2019 07:41 AM
MY ASA5505 is blocking the secure traffic to an FTP server. Standard FTP is fine. What am I missing?
01-23-2009 08:26 AM
How do you define "secure traffic"? Secure FTP (sFTP) or Secure Copy (scp). If that is the
case, open tcp port 22 on the firewall.
If you're using sFTP on Linux/Unix, you may
have to edit the sshd_config file to make this
happen.
01-23-2009 08:55 AM
sFTP. I have tried opening ports 22,23 & 24 - no luck.
It is a linux server - which when I connect independently of the ASA works OK in both FTP & sFTP. When connected through the ASA FTP packets in clear0 is OK but sFTP (encrypted packets) are blocked.
01-23-2009 12:48 PM
Post your config so that I may be able to help
you.
01-23-2009 01:47 PM
access-list INBOUND-ALLOW extended permit tcp any host 216.191.22.196 eq www log
access-list INBOUND-ALLOW extended permit tcp any host 216.191.22.196 eq https log
access-list INBOUND-ALLOW extended permit tcp any host 216.191.22.196 eq 3389 log
access-list INBOUND-ALLOW extended permit tcp any host 216.191.22.197 eq smtp log
access-list INBOUND-ALLOW extended permit tcp any host 216.191.22.197 eq 3389 log
access-list INBOUND-ALLOW extended permit tcp any host 216.191.22.201 eq 3389 log
access-list INBOUND-ALLOW extended permit tcp any host 216.191.22.203 eq 3389 log
access-list INBOUND-ALLOW extended permit tcp any host 216.191.22.204 eq 3389 log
access-list outbound-smtp extended permit tcp host 10.20.0.12 any eq smtp
access-list no_nat_outbound extended permit ip 10.0.0.0 255.0.0.0 10.100.0.0 255.255.0.0
access-list no_nat_outbound extended permit ip 10.0.0.0 255.0.0.0 10.80.0.0 255.255.0.0
access-list OCP_splitTunnelAcl standard permit 10.0.0.0 255.0.0.0
nat (inside) 0 access-list no_nat_outbound
nat (inside) 3 access-list outbound-smtp
nat (inside) 1 10.0.0.0 255.0.0.0
static (inside,outside) tcp 216.191.22.196 smtp 10.20.0.12 smtp netmask 255.255.255.255 dns
static (inside,outside) tcp 216.191.22.196 3389 10.20.0.12 3389 netmask 255.255.255.255 dns
static (inside,outside) tcp 216.191.22.197 smtp 10.20.0.13 smtp netmask 255.255.255.255 dns
static (inside,outside) tcp 216.191.22.197 3389 10.20.0.13 3389 netmask 255.255.255.255 dns
static (inside,outside) tcp 216.191.22.201 3389 10.20.0.17 3389 netmask 255.255.255.255 dns
static (inside,outside) tcp 216.191.22.203 3389 10.20.0.19 3389 netmask 255.255.255.255 dns
static (inside,outside) tcp 216.191.22.196 www 10.20.0.12 www netmask 255.255.255.255
static (inside,outside) tcp 216.191.22.196 https 10.20.0.12 https netmask 255.255.255.255
static (inside,outside) tcp 216.191.22.204 3389 10.60.0.20 3389 netmask 255.255.255.255
access-group INBOUND-ALLOW in interface outside
route outside 0.0.0.0 0.0.0.0 216.191.22.193 1
route inside 10.0.0.0 255.0.0.0 10.10.0.1 1
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
01-23-2009 02:06 PM
static (inside,outside) tcp 216.191.22.196 22 10.20.0.20 22 22 netmask 255.255.255.255
access-list INBOUND-ALLOW extended permit tcp any host 216.191.22.196 eq 22 log
I assume that 10.20.0.20 is the IP address of the linux server.
01-26-2009 08:58 AM
is this for sFTP, we are tring to get FTPES working ? would that be different ?
I believe the issue is, as it stands now because it is a passive connection so it is coming in on port 21 then when it is asked to open up a data channel on another port it fails. Most firewalls will inspect the first packets that come in and dynamically open the data port but since it is encrypted it cannot do this. I can specify the data ports that FTP is allowed opening but it is still not getting though, the firewall must be doing more inspection of these packets and denying them.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: