SFTP through ASA firewall

Unanswered Question
Jun 24th, 2010
User Badges:

I have a Unix client that needs to connect to an sftp server on the internet through SFTP protocol but this doesn't work. I have FTP inspection on the ASA and normal FTP works just fine. For SFTP to the server, I have opened port 22 in addition to 20 and 21 for ftp.

I get the error message below:

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:10.0pt; font-family:"Times New Roman","serif";}

Connecting to XX.XX.XX.XX...
ssh: connect to host XX.XX.XX.XX port 22: Connection timed out
Couldn't read packet: Connection reset by peer

This same mode of connection works from another location outside my network (only that i do not know if they are behind a firewall or not). Currently, I have natted the client's private IP (on the inside interface) to a public IP on the outside interface on my ASA. And created an access rule on the inside interface to allow traffic from the private IP to the SFTP server (public IP) on ports 20, 21,  and 22.

Can someone tell me what I need to do on the ASA to get this to work? Looking forward to a response soon. Thank you all

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Federico Coto F... Thu, 06/24/2010 - 06:40
User Badges:
  • Green, 3000 points or more


If you remove the FTP inspection does it work?


Magnus Mortensen Thu, 06/24/2010 - 07:04
User Badges:
  • Cisco Employee,


     If my memory serves me correctly, SFT is just FTP over an SSH tunnel. Theoretically the only traffic that would pass through the firewall would be TCP/22 for the SSH tunnel. Can you even SSH to that host from behind the firewall? If SSH works, but SFTP doesn't then there is something strange going on.


danniekay Thu, 06/24/2010 - 07:33
User Badges:

I have removed the inpection but it
still doesn't work. I tried ssh to the server too but it doesn't work either

Magnus Mortensen Thu, 06/24/2010 - 07:39
User Badges:
  • Cisco Employee,


     Well, lets target that as our first issue. I'm always a big fan of running a quick packet capture on the firewall in order to see if the packets are hitting the firewall and going where they need to be....

Pre 8.0.4 code:

access-list cap-list permit tcp any host x.x.x.x eq 22

access-list cap-list permit tcp host x.x.x.x eq 22 any

cap inside interface inside access-list cap-list

cap outside interface outside access-list cap-list

Post 8.0.4 code:

cap inside int inside match tcp any host x.x.x.x eq 22

cap outside int outside match tcp any host x.x.x.x eq 22

Then run the test and check the captures with:

show cap inside

show cap outside

Also lets get some syslogs from the attempt. Do you see any syslogs for that remote IP x.x.x.x?

- Magnus

danniekay Thu, 06/24/2010 - 07:52
User Badges:

Hi Magnus,

Thanks for your suggestion. I will not be able to capture packets using packet capturing tools as my ASA is carrying live traffic. But one thing I have done is that, when I do a packet trace on the ASA from my local IP (random port) to the sftp server (public IP) on ports 20,21 & 22; my ASA tells me that packet is allowed.

I guess this is equivalent to the packet capturing you suggested? Right?

Magnus Mortensen Thu, 06/24/2010 - 07:58
User Badges:
  • Cisco Employee,


     The captures should be safe to run during production as they are not CPU intensive. Also you should be able to get the output of:

show conn | in x.x.x.x

I would be interested to see what the connection flags indicate... have you tested this SFTP from outside your firewall?


danniekay Thu, 06/24/2010 - 10:38
User Badges:

Hi Magnus,

Is there a generic way for me to capture the packets on the ASA or I need a packet capturing tool like Ethereal? I did show conn | in x.x.x.x for the sftp public IP as well as local server IP but there was no log


This Discussion