Checkpoint to ASA migration. Problems with pasv ftps.
Moving from Checkpoint to ASA. Migrated about 20% of my policies earlier this week and had to back out one. ftps from 10.60.10.205 (inside) destined for 184.108.40.206 (prod-outside). Users got error message 500 Illegal PORT range when entering pasv mode...
220 pw-sftp-cl1.nmhcrx.com FTP server (Version 6.00LS+TLS) ready.
234 AUTH SSL command successful.
SSL Session Started.
Host type (1): Automatic detect
331 Password required for myuser.
230 User myuser logged in, access restrictions apply.
215 UNIX Type: L8
Host type (2): UNIX (standard)
200 PBSZ command successful (PBSZ=0).
504 PROT command not available in FTP-SSL compatibility mode.
257 "/" is current directory.
200 Type set to A.
227 Entering Passive Mode (65,217,149,5,165,146)
connecting data channel to 220.127.116.11:165,146(42386)
500 Illegal PORT range rejected.
Port failed 500 Illegal PORT range rejected.
Ftp inspection is enabled. Do I need to exclude this from inspection because it is encrypted? If so, how do I handle the data channel and associated dynamic ports?
Tried fixup protocol ftp 21 based upon feedback in another NetPro discussion.
Also modified policy and nat rules to permit both tcp/ftp and tcp/ftp-data.
I'm new to the ASA and not having much luck with TAC. Most recent feedback from TAC "Let me do some research about it since I am not sure if FTPS is supported on ASA firewalls. I will keep you posted." Any suggestions?
Re: Checkpoint to ASA migration. Problems with pasv ftps.
It appears outbound request for data channel is being blocked. The server side randomly assigns a high port in pasv mode. My client then attempts to connect on this high port and is being blocked. FTP inspection would normally pick this up and allow the high port. It doesn't work here because all of the payload is encrypted. Interim fix is allow all ip outbound to this particular destination. Not really a good long term solution. Any better suggestions out there?
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :