Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

FTPES through ASA5505

MY ASA5505 is blocking the secure traffic to an FTP server. Standard FTP is fine. What am I missing?

  • Firewalling
6 REPLIES
Silver

Re: FTPES through ASA5505

How do you define "secure traffic"? Secure FTP (sFTP) or Secure Copy (scp). If that is the

case, open tcp port 22 on the firewall.

If you're using sFTP on Linux/Unix, you may

have to edit the sshd_config file to make this

happen.

New Member

Re: FTPES through ASA5505

sFTP. I have tried opening ports 22,23 & 24 - no luck.

It is a linux server - which when I connect independently of the ASA works OK in both FTP & sFTP. When connected through the ASA FTP packets in clear0 is OK but sFTP (encrypted packets) are blocked.

Silver

Re: FTPES through ASA5505

Post your config so that I may be able to help

you.

New Member

Re: FTPES through ASA5505

access-list INBOUND-ALLOW extended permit tcp any host 216.191.22.196 eq www log

access-list INBOUND-ALLOW extended permit tcp any host 216.191.22.196 eq https log

access-list INBOUND-ALLOW extended permit tcp any host 216.191.22.196 eq 3389 log

access-list INBOUND-ALLOW extended permit tcp any host 216.191.22.197 eq smtp log

access-list INBOUND-ALLOW extended permit tcp any host 216.191.22.197 eq 3389 log

access-list INBOUND-ALLOW extended permit tcp any host 216.191.22.201 eq 3389 log

access-list INBOUND-ALLOW extended permit tcp any host 216.191.22.203 eq 3389 log

access-list INBOUND-ALLOW extended permit tcp any host 216.191.22.204 eq 3389 log

access-list outbound-smtp extended permit tcp host 10.20.0.12 any eq smtp

access-list no_nat_outbound extended permit ip 10.0.0.0 255.0.0.0 10.100.0.0 255.255.0.0

access-list no_nat_outbound extended permit ip 10.0.0.0 255.0.0.0 10.80.0.0 255.255.0.0

access-list OCP_splitTunnelAcl standard permit 10.0.0.0 255.0.0.0

nat (inside) 0 access-list no_nat_outbound

nat (inside) 3 access-list outbound-smtp

nat (inside) 1 10.0.0.0 255.0.0.0

static (inside,outside) tcp 216.191.22.196 smtp 10.20.0.12 smtp netmask 255.255.255.255 dns

static (inside,outside) tcp 216.191.22.196 3389 10.20.0.12 3389 netmask 255.255.255.255 dns

static (inside,outside) tcp 216.191.22.197 smtp 10.20.0.13 smtp netmask 255.255.255.255 dns

static (inside,outside) tcp 216.191.22.197 3389 10.20.0.13 3389 netmask 255.255.255.255 dns

static (inside,outside) tcp 216.191.22.201 3389 10.20.0.17 3389 netmask 255.255.255.255 dns

static (inside,outside) tcp 216.191.22.203 3389 10.20.0.19 3389 netmask 255.255.255.255 dns

static (inside,outside) tcp 216.191.22.196 www 10.20.0.12 www netmask 255.255.255.255

static (inside,outside) tcp 216.191.22.196 https 10.20.0.12 https netmask 255.255.255.255

static (inside,outside) tcp 216.191.22.204 3389 10.60.0.20 3389 netmask 255.255.255.255

access-group INBOUND-ALLOW in interface outside

route outside 0.0.0.0 0.0.0.0 216.191.22.193 1

route inside 10.0.0.0 255.0.0.0 10.10.0.1 1

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect sqlnet

inspect sunrpc

inspect tftp

Silver

Re: FTPES through ASA5505

static (inside,outside) tcp 216.191.22.196 22 10.20.0.20 22 22 netmask 255.255.255.255

access-list INBOUND-ALLOW extended permit tcp any host 216.191.22.196 eq 22 log

I assume that 10.20.0.20 is the IP address of the linux server.

New Member

Re: FTPES through ASA5505

is this for sFTP, we are tring to get FTPES working ? would that be different ?

I believe the issue is, as it stands now because it is a passive connection so it is coming in on port 21 then when it is asked to open up a data channel on another port it fails. Most firewalls will inspect the first packets that come in and dynamically open the data port but since it is encrypted it cannot do this. I can specify the data ports that FTP is allowed opening but it is still not getting though, the firewall must be doing more inspection of these packets and denying them.

562
Views
0
Helpful
6
Replies
This widget could not be displayed.