Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

FTPS via ASA

Hi all,

We have ASA5510/20 running in NAT/routed mode. We received a request to open ports for internal server to make FTPS connection to outside servers. Internal server initiate the connection. External vendor asked us to open 9021 (FTP ctrl) & 20000-20099 (PASV/EPASV) for their IPs. Long time back while I was testing with FTPS via PIX, ran into some data transfer issues. Never got a chance to check on it later.The ASAs running 7.2 (4) and 7.1 (2). Using One-one NAT for servers. Do this still poses encryption issues for FTPS or not to expect any issues for the FTPS connectivity (with the above said ports opened).

Thanks in advance

MS

4 REPLIES
New Member

Re: FTPS via ASA

1. You are using one-to-one NAT with FTP exposed to outside should not have problem is application running on the defined ports by the server admin team.

2. To get insight view you can monitor the sample FTP sessions and check for any dropping of the packet. If you still face problem ask server team to carry out the sample FTP from inside network. If it successful then should be successful from outside as well.

3. Sometime even on servers some policies maintained either by antivirus or FTP application.. needs to have visibility beside network access control

Hope this will help you to resolve the problem

Re: FTPS via ASA

Hi Shilesh,

Thanks for the reply. But with the case of FTPS (FTP/SSL), due to the encryption there may be an issue while Firewall inspect the incoming traffic. Thanks again.

MS

Cisco Employee

Re: FTPS via ASA

Absolutely correct. Since the FTP is encrypted, ASA is not able to inspect into the FTP packet to dynamically open pinhole for FTP Data.

New Member

Re: FTPS via ASA

>> Did you manage to check the same whether FTPS working locally? If yes, then get the output of netstat

- n from the system. It will show you the ports open on the server. This also confirm if there is an issue with server or client.

>> Once this confirms you can get one side that there is no problem with FTPS server and client software they are using..

>> You can cross verify the ports with the output of netstat -n command

2760
Views
0
Helpful
4
Replies