I have a Unix client that needs to connect to an sftp server on the internet through SFTP protocol but this doesn't work. I have FTP inspection on the ASA and normal FTP works just fine. For SFTP to the server, I have opened port 22 in addition to 20 and 21 for ftp.
I get the error message below:
Connecting to XX.XX.XX.XX... ssh: connect to host XX.XX.XX.XX port 22: Connection timed out Couldn't read packet: Connection reset by peer
This same mode of connection works from another location outside my network (only that i do not know if they are behind a firewall or not). Currently, I have natted the client's private IP (on the inside interface) to a public IP on the outside interface on my ASA. And created an access rule on the inside interface to allow traffic from the private IP to the SFTP server (public IP) on ports 20, 21, and 22.
Can someone tell me what I need to do on the ASA to get this to work? Looking forward to a response soon. Thank you all
If my memory serves me correctly, SFT is just FTP over an SSH tunnel. Theoretically the only traffic that would pass through the firewall would be TCP/22 for the SSH tunnel. Can you even SSH to that host from behind the firewall? If SSH works, but SFTP doesn't then there is something strange going on.
Well, lets target that as our first issue. I'm always a big fan of running a quick packet capture on the firewall in order to see if the packets are hitting the firewall and going where they need to be....
Pre 8.0.4 code:
access-list cap-list permit tcp any host x.x.x.x eq 22
access-list cap-list permit tcp host x.x.x.x eq 22 any
cap inside interface inside access-list cap-list
cap outside interface outside access-list cap-list
Post 8.0.4 code:
cap inside int inside match tcp any host x.x.x.x eq 22
cap outside int outside match tcp any host x.x.x.x eq 22
Then run the test and check the captures with:
show cap inside
show cap outside
Also lets get some syslogs from the attempt. Do you see any syslogs for that remote IP x.x.x.x?
Thanks for your suggestion. I will not be able to capture packets using packet capturing tools as my ASA is carrying live traffic. But one thing I have done is that, when I do a packet trace on the ASA from my local IP (random port) to the sftp server (public IP) on ports 20,21 & 22; my ASA tells me that packet is allowed.
I guess this is equivalent to the packet capturing you suggested? Right?
Is there a generic way for me to capture the packets on the ASA or I need a packet capturing tool like Ethereal? I did show conn | in x.x.x.x for the sftp public IP as well as local server IP but there was no log
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...