cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
16360
Views
5
Helpful
7
Replies

SFTP through ASA firewall

danniekay
Level 1
Level 1

I have a Unix client that needs to connect to an sftp server on the internet through SFTP protocol but this doesn't work. I have FTP inspection on the ASA and normal FTP works just fine. For SFTP to the server, I have opened port 22 in addition to 20 and 21 for ftp.

I get the error message below:

Connecting to XX.XX.XX.XX...
ssh: connect to host XX.XX.XX.XX port 22: Connection timed out
Couldn't read packet: Connection reset by peer

This same mode of connection works from another location outside my network (only that i do not know if they are behind a firewall or not). Currently, I have natted the client's private IP (on the inside interface) to a public IP on the outside interface on my ASA. And created an access rule on the inside interface to allow traffic from the private IP to the SFTP server (public IP) on ports 20, 21,  and 22.

Can someone tell me what I need to do on the ASA to get this to work? Looking forward to a response soon. Thank you all

7 Replies 7

Hi,

If you remove the FTP inspection does it work?

Federico.

Magnus Mortensen
Cisco Employee
Cisco Employee

Dannie,

     If my memory serves me correctly, SFT is just FTP over an SSH tunnel. Theoretically the only traffic that would pass through the firewall would be TCP/22 for the SSH tunnel. Can you even SSH to that host from behind the firewall? If SSH works, but SFTP doesn't then there is something strange going on.

-Magnus

I have removed the inpection but it
still doesn't work. I tried ssh to the server too but it doesn't work either

Dannie,

     Well, lets target that as our first issue. I'm always a big fan of running a quick packet capture on the firewall in order to see if the packets are hitting the firewall and going where they need to be....

Pre 8.0.4 code:

access-list cap-list permit tcp any host x.x.x.x eq 22

access-list cap-list permit tcp host x.x.x.x eq 22 any


cap inside interface inside access-list cap-list

cap outside interface outside access-list cap-list

Post 8.0.4 code:

cap inside int inside match tcp any host x.x.x.x eq 22

cap outside int outside match tcp any host x.x.x.x eq 22

Then run the test and check the captures with:

show cap inside

show cap outside

Also lets get some syslogs from the attempt. Do you see any syslogs for that remote IP x.x.x.x?

- Magnus

Hi Magnus,

Thanks for your suggestion. I will not be able to capture packets using packet capturing tools as my ASA is carrying live traffic. But one thing I have done is that, when I do a packet trace on the ASA from my local IP (random port) to the sftp server (public IP) on ports 20,21 & 22; my ASA tells me that packet is allowed.

I guess this is equivalent to the packet capturing you suggested? Right?

Dannie,

     The captures should be safe to run during production as they are not CPU intensive. Also you should be able to get the output of:

show conn | in x.x.x.x

I would be interested to see what the connection flags indicate... have you tested this SFTP from outside your firewall?

-Magnus

Hi Magnus,

Is there a generic way for me to capture the packets on the ASA or I need a packet capturing tool like Ethereal? I did show conn | in x.x.x.x for the sftp public IP as well as local server IP but there was no log

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: