topic Re: ASA, Passive FTP (Explicit FTP with TLS) does not work. in Network Security

ASA, Passive FTP (Explicit FTP with TLS) does not work.

morabusa — Fri, 22 May 2020 09:50:01 GMT

Hi,

I am having issues to make work a passive FTP server with explicit TLS encryption because ASA is blocking the response on a random port, even when I have enabled this configuration:

access-list ftp-list extended permit tcp any any gt 1000
!
class-map ftp-class
match access-list ftp-list
!
policy-map global_policy
class ftp-class
inspect ftp

Problem is that we are using explicit ftp with TLS encryption and this is probably the reason because the ASA is not able to inspect that traffic and block the connection. Do you know if there is a solution for this? Thanks!

Re: ASA, Passive FTP (Explicit FTP with TLS) does not work.

balaji.bandi — Fri, 22 May 2020 20:09:08 GMT

passitve FTP with TLS you required 1 to 1023 ports - try that and let us know.

your ACL show > 1000

Re: ASA, Passive FTP (Explicit FTP with TLS) does not work.

morabusa — Mon, 25 May 2020 08:16:04 GMT

I am seeing connection attempts to the ports 40XXX-6XXXX. Anyway, if traffic is encrypted, how the ASA could inspect it? Thanks!

Re: ASA, Passive FTP (Explicit FTP with TLS) does not work.

rmathieson7 — Fri, 29 May 2020 17:06:57 GMT

You're right the encryption will stop the ASA from seeing the packet and therefore won't be able to dynamically open the ports. The passive FTP port range is configured on the server so you could contact whoever manages that, otherwise they tend to be within 49152-65535. FTP isn't a nice protocol for security.