Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

FTPS on ASA appliance

I need to connect to FTP server over SSL, to a server that I do not have any control over. My problem is the ASA does not allow the connection because it is going over SSL and so it can not inspect the packets. Does anyone have a work around for this, I only need this to work for 1 internal client, so I thought maybe a 1:1 NAT would work but it didn't, or I didn't do it correctly. I have talked to the people that run the FTP server and all they were able to tell me is to make sure ports 20&21 and ports greater than 1024 are open to their server. Any suggestions would be apreciated. Thanks


Re: FTPS on ASA appliance

I know with some SSL FTP servers, the administrator can choose which ports above 1024 it will use. Unfortunately it doesn't sound like you're going to get that level of cooperation from them. Do the static NAT, and then just allow all those ports from that one server?


Re: FTPS on ASA appliance

This is 2008, not 1998. FTP should be banned.

There is a very simple solution to this. Secure

Copy, scp. scp runs on as a sub-system of SSH,

and that you can encrypt your traffics with

AES256-cbc with sha-1. Make it very on the

firewall and anyone managing it. Allow

tcp port 22 on the firewall and you're set.

CCIE Security

New Member

Re: FTPS on ASA appliance

I agree with you 100%, however I don't have a choice. What is really irritating is the organization we are sending this data to used to have a SSL secured website you could just upload it to, but they switched back to FTP over SSL, because they "claimed" it was more secure. I am going to try the static NAT and will let you know what happens.

New Member

Re: FTPS on ASA appliance

Ok so I tried the following and it didn't work. I admit I probably did something wrong.

static (inside, outside) netmask

access-list ftps extended permit ip host host

And then I applied it to the outside interface

access-group ftps in interface outside

Let me know what I did wrong. Thanks

CreatePlease login to create content