Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

FTP over TLS not working

hi all,

i configured port redirection on ASA to allow external user access to Internal FTPS Server.  but it's not working

i use Filezilla client to access but i have this error.

Statut :    Connexion à x.x.x.x:21...

Statut :    Connexion établie, attente du message d'accueil...

Réponse :    220-Microsoft FTP Service

Réponse :    220 FTP-Server FTP

Commande :    AUTH TLS

Réponse :    234 AUTH command ok. Expecting TLS Negotiation.

Statut :    Initialisation de TLS...

Erreur :    Délai d'attente expiré

Erreur :    Impossible d'établir une connexion au serveur

please can somebody know what can cause this issue ?

thanks for your help

Everyone's tags (4)
4 REPLIES

FTP over TLS not working

Hello,

Is this FTPS server working on active mode?

Can you share the nat configuration for the server?

Regards,

Julio

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

FTP over TLS not working

ASA is configured in Passive Mode.

this is NAT configuration

static (DMZ1,outside) tcp  interface  20  'ftps-server-private IP'  20

static (DMZ1,outside) tcp  interface  21  'ftps-server-private IP'  21

access-list outside_access_in  extended permit tcp any host 'Outside_public_IP' eq 20

access-list outside_access_in  extended permit tcp any host 'Outside_public_IP' eq 21

FTP over TLS not working

Hello,

Here is a document that you will need to read

https://supportforums.cisco.com/docs/DOC-23206

As you can see you will be using   FTPS (FTP over SSL) that uses port 990 for the control channel (this information is encrypted) and the data channel goes on plain text.

Is there a way you can use a static one to one and then allow port 990 on the outside ACL?

Regards,

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
Gold

Re: FTP over TLS not working

Hi

FTPS is not supported in the ASA.

Due to the problem of traffic beeing encrypted.

However you can in some FTPS servers setup that you are only able to use some few ports.

Then you can open for all those ports that you have choosen.

If you want a better alternative than FTPS use SFTP.

FTPS is firewall unfriendly

SFTP is firewall friendly

SFTP will work correctly all the time.

Good luck

HTH

1836
Views
0
Helpful
4
Replies