Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1711
Views
3
Helpful
1
Replies

Allowing FTPS access in ASA 5510

Sihanu N
Level 1
Level 1

‎04-13-2012 11:43 AM - edited ‎03-11-2019 03:53 PM

Hi Experts,

We had an ASA 5510 as a firewall in our environment, and there is a requirement to access an ftps server from our location. Currently from the server location they configured everything by allowing our public ip to their server and gave the following details to access ftp.

Server address for accessing ftp > ftp://ftp.<server address>.com

FTPS Access from port 990 (Implicit)

User ID: <user id>

Password:<password>

Please suggest which traffic needs to be allowed in our ASA to access the ftp server address as mentioned above. From my initial analysis, it's found that 989 port is also enabled for the access, but that was not mentioned by them.

Any advice or suggestions regarding this is highly appreciable.

Regards,

Sihanu N

Labels:
0 Helpful
1 Reply 1

Julio Carvajal
VIP Alumni
VIP Alumni

‎04-13-2012 03:21 PM

Hello Sihanu,

So the Secure FTP server will be outside your network.....

All you need to do is to open the required TCP ports ( in this case 990) in the interface were the clients are going to be.

Lets focus on the following topology:

PC1------------(inside)ASA(outside)--------------INTERNET---------------SFTP

All you will need to do is if you have an ACL on the inside interface add a line

access-list test permit tcp host PC1 host SFTP eq 990.

I think this document will help:

https://supportforums.cisco.com/docs/DOC-23206

You will need to focus on the scenario 2:

Client on the inside and server on the outside, Server on Passive mode.

Same thing, client initiates the connection on port 990/22, the server agrees and waits for the client to set the port command. Client initiates the connection to the outside world in that n+1 port to the server and everything is going to work fine.

This may sound a little bit complicated, what you need to understand is that the firewall cannot open the Data channel because the Control channel is encrypted. Make sure that the data channel is seeing by the firewall as a regular connection.

Regards,

Do rate all the helpful posts

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card