Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ftp and sftp through pix 501 with attachment

Hi All,

I am having problems porting ftp and sftp through a PIX 501 v6.3. Attached is my configuration, if any one has any input I would appreciate it.

Thanks, - Ed

4 REPLIES
Cisco Employee

Re: ftp and sftp through pix 501 with attachment

SFTP doesn't work with static port redirection, you need a free public ip, map it to ftp server and open ports on the outside access-list

Silver

Re: ftp and sftp through pix 501 with attachment

"SFTP doesn't work with static port redirection, you

need a free public ip, map it to ftp server and

open ports on the outside access-list"

Say what? Are you aware that SFTP is a

sub-component of SSH? If what you say is true,

how do you explain this:

interface F0/0

ip address 129.174.1.13 255.255.255.240

ip nat outside

interface F0/1

ip address 192.168.15.10 255.255.255.0

ip nat inside

ip nat inside source static tcp 192.168.15.10 22 interface FastEthernet0/0 22

Nokia-1-P[admin]# sftp -v root@129.174.1.13

Connecting to 129.174.1.13...

OpenSSH_3.1p1, SSH protocols 1.5/2.0, OpenSSL 0x0090604f

debug1: Rhosts Authentication disabled, originating port will not be trusted.

debug1: restore_uid

debug1: ssh_connect: getuid 0 geteuid 0 anon 1

debug1: Connecting to 129.174.1.13 [129.174.1.13] port 22.

debug1: temporarily_use_uid: 0/0 (e=0)

debug1: restore_uid

debug1: temporarily_use_uid: 0/0 (e=0)

debug1: restore_uid

debug1: Connection established.

debug1: read PEM private key done: type DSA

debug1: read PEM private key done: type RSA

debug1: identity file /var/emhome/admin/.ssh/id_rsa type -1

debug1: identity file /var/emhome/admin/.ssh/id_dsa type -1

debug1: Remote protocol version 1.99, remote software version OpenSSH_3.6.1p2

debug1: match: OpenSSH_3.6.1p2 pat OpenSSH*

Enabling compatibility mode for protocol 2.0

debug1: Local version string SSH-2.0-OpenSSH_3.1p1

debug1: SSH2_MSG_KEXINIT sent

debug1: SSH2_MSG_KEXINIT received

debug1: kex: server->client aes128-cbc hmac-sha1 none

debug1: kex: client->server aes128-cbc hmac-sha1 none

debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent

debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP

debug1: dh_gen_key: priv key bits set: 160/320

debug1: bits set: 1625/3191

debug1: SSH2_MSG_KEX_DH_GEX_INIT sent

debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY

debug1: Host '129.174.1.13' is known and matches the RSA host key.

debug1: Found key in /var/emhome/admin/.ssh/known_hosts:11

debug1: bits set: 1595/3191

debug1: ssh_rsa_verify: signature correct

debug1: kex_derive_keys

debug1: newkeys: mode 1

debug1: SSH2_MSG_NEWKEYS sent

debug1: waiting for SSH2_MSG_NEWKEYS

debug1: newkeys: mode 0

debug1: SSH2_MSG_NEWKEYS received

debug1: done: ssh_kex2.

debug1: send SSH2_MSG_SERVICE_REQUEST

debug1: service_accept: ssh-userauth

debug1: got SSH2_MSG_SERVICE_ACCEPT

debug1: authentications that can continue: publickey,password,keyboard-interactive

debug1: next auth method to try is publickey

debug1: try privkey: /var/emhome/admin/.ssh/id_rsa

debug1: try privkey: /var/emhome/admin/.ssh/id_dsa

debug1: next auth method to try is keyboard-interactive

debug1: authentications that can continue: publickey,password,keyboard-interactive

debug1: next auth method to try is password

root@129.174.1.13's password:

debug1: packet_send2: adding 64 (len 58 padlen 6 extra_pad 64)

debug1: ssh-userauth2 successful: method password

debug1: fd 4 setting O_NONBLOCK

debug1: channel 0: new [client-session]

debug1: send channel open 0

debug1: Entering interactive session.

debug1: ssh_session2_setup: id 0

debug1: Sending subsystem: sftp

debug1: channel request 0: subsystem

debug1: channel 0: open confirm rwindow 0 rmax 32768

sftp> cd /tmp

sftp> ls

drwxrwxrwt 7 root root 12288 Feb 19 09:30 .

drwxr-xr-x 23 root root 4096 Feb 13 10:45 ..

drwxrwxrwt 2 root root 4096 Feb 13 10:45 .X11-unix

drwxrwxrwx 2 bin bin 4096 Feb 13 10:48 .iroha_unix

sftp> exit

Nokia-1-P[admin]#

CCIE Security

New Member

Re: ftp and sftp through pix 501 with attachment

Thanks but i think that is FTPS or FTP over SSL.

When I indicate SFTP I mean SSH FTP which travels in and out on one port, usually 22. I have this working now, it turned out to be a problem with the SFTP server.

The simple FTP connection is still acting up however, it will connect but won't list directory's.

Cisco Employee

Re: ftp and sftp through pix 501 with attachment

well I meant FTP over SSL doesn't work over PAT, for FTP over SSH it should work

Is Fixup ftp turned on ?

What kind of FTP connection is this Active/passive,

I would like to try this ftp using "core FTP client" download it from google

By any chance do have logs with you ..

313
Views
0
Helpful
4
Replies