Using a PIX 515E and I'm trying to create an FTP session over SSL.
I'm using WS-FTP FTP program. When using regular FTP I can connect to the remote site without any problems. If I try to connect using FTP/SSL, it stops at the "MLSD" process and gives me a "425 Can't open data connection."
Do I need to do anything special on the PIX in order to get this connection to work?
The PIX (or really any NAT device) is not going to be able to support FTP/SSL. The reason for this is becuase the PIX does a lot of things with respect to ftp. One of the things it does is to look into the data portions (or more specifically the PORT command) and see which port the client is telling the server to connect back in on. The PIX then uses this info to open the necessary holes in the security policy. Since the data is encrypted in FTP/SSL, the PIX is not able to look into the payload portions and open the proper holes, etc... Hence your connections fail in the manner you described. Sorry but I hope this helps to explain matters.
The problem is that there is no standard - some people wrap ftp in ssl, a la https (which is much, much, much more standardized), others use sftp, which is more like ssh, etc.
FTP is a disaster - the multiple ports for the control and data channels leave a legacy of chaos. Thus, when you have various inoperable encryption+ftp solutions out there, there is no real way to expect firewalls to be able to proxy them all.
SCP, included with openssh, and some other programs, is like unix rcp encrypted with ssh, so it works through one port, tcp 22. openssh's sftp server might work the same way. SCP would probably be how I would do it on unix-like OS's
On windows, I would (and do) use https, and WEBDAV on IIS. webdav is an standard extension of http - you can browse files, explorer like in IE (mozilla/netscape don't support webdav yet), and cut and paste files to /from the webserver.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...