https://community.cisco.com/t5/network-security/does-asa-8-2-support-ftps-without-clear-command-channel/m-p/2356503#M307693 <HTML><HEAD></HEAD><BODY><P> ASA cannot inspect SSL/TLS encrypted&nbsp; traffic.&nbsp; The breakdown occurs when the data channel is being built.&nbsp;&nbsp; Whether in active or passive mode, L3 (IP) and L4 (port) information&nbsp; regarding the data channel are transferred in the FTP/FTPS control&nbsp; channel.&nbsp; With traditional FTP and the ASA's FTP inspection, this data&nbsp; is "inspected" and "fixed" to match the public/outside/whatever&nbsp; interface IP and the ASA dynamically adds a permit ACL to allow the data&nbsp; channel traffic.</P><P></P><P>With SSL/TLS (as part of FTPS) the ASA cannot see the necessary&nbsp; control channel details to "inspect" or "fix" what is necessary to make&nbsp; the data channel work.&nbsp; As such, you will need to have some added&nbsp; smarts/capability built into the FTPS server application you are using.</P><P></P><P>Capabilities include the following:</P><P></P><OL><LI>The ability to set the port range sent in the control channel to be&nbsp; used for the data channel as used by passive mode (PASV) clients.</LI><LI>The ability to set the IP address sent in the control channel to be&nbsp; used for the data channel as used by passive mode (PASV) clients.</LI><LI><P>Lastly, in your firewall, permitting (via nat/static <STRONG><EM>and</EM></STRONG> ACL) the range configured in number 1.</P><P><EM>In a Windows environment, Cerberus is a great FTP/FTPS/SFTP server that has the necessary features and functions.</EM></P></LI></OL><P></P><P>For example:</P><P></P><P>Say your FTPS server has an inside IP 192.168.1.10 and outside IP 1.1.1.2.</P><P></P><UL><LI>Configure your FTPS server software to use TCP/35000 to TCP/35999 as a range for passive clients.</LI><LI>Configure your FTPS server software to send 1.1.1.2 as the IP for&nbsp; passive clients. </LI><LI>Configure your ASA to NAT (using static NAT or static PAT range) for TCP/35000 to TCP/35999 (plus TCP/21, TCP/990, etc.)</LI><LI>Configure your ASA to ACL permit TCP/35000 to TCP/35999 to the the FTPS server (plus TCP/21, TCP/990, etc.)</LI></UL><P></P><P>Now when clients connect in from the WAN using implicit or explicit&nbsp; FTPS, the FTPS server will send back the correct WAN IP address (not its&nbsp; private address) and a TCP port in a known range to be used in the data&nbsp; channel.&nbsp; Having specifically NAT'd and ACL permitted the TCP ports,&nbsp; ASA inspection/fixup is not required.</P><P></P><P>Let me know if you have any questions.</P><P></P><P>Regards</P></BODY></HTML> Thu, 05 Dec 2013 17:00:27 GMT gurpsin2 2013-12-05T17:00:27Z https://community.cisco.com/t5/network-security/does-asa-8-2-support-ftps-without-clear-command-channel/m-p/2356502#M307688 <P>We are running a 5520 ASA @ Version 8.2. What needs to be done to configure it to support FTPS?</P><P></P><P>Thanks,</P><P></P><P>Doug</P> Tue, 12 Mar 2019 03:13:18 GMT https://community.cisco.com/t5/network-security/does-asa-8-2-support-ftps-without-clear-command-channel/m-p/2356502#M307688 dohogue 2019-03-12T03:13:18Z https://community.cisco.com/t5/network-security/does-asa-8-2-support-ftps-without-clear-command-channel/m-p/2356503#M307693 <HTML><HEAD></HEAD><BODY><P> ASA cannot inspect SSL/TLS encrypted&nbsp; traffic.&nbsp; The breakdown occurs when the data channel is being built.&nbsp;&nbsp; Whether in active or passive mode, L3 (IP) and L4 (port) information&nbsp; regarding the data channel are transferred in the FTP/FTPS control&nbsp; channel.&nbsp; With traditional FTP and the ASA's FTP inspection, this data&nbsp; is "inspected" and "fixed" to match the public/outside/whatever&nbsp; interface IP and the ASA dynamically adds a permit ACL to allow the data&nbsp; channel traffic.</P><P></P><P>With SSL/TLS (as part of FTPS) the ASA cannot see the necessary&nbsp; control channel details to "inspect" or "fix" what is necessary to make&nbsp; the data channel work.&nbsp; As such, you will need to have some added&nbsp; smarts/capability built into the FTPS server application you are using.</P><P></P><P>Capabilities include the following:</P><P></P><OL><LI>The ability to set the port range sent in the control channel to be&nbsp; used for the data channel as used by passive mode (PASV) clients.</LI><LI>The ability to set the IP address sent in the control channel to be&nbsp; used for the data channel as used by passive mode (PASV) clients.</LI><LI><P>Lastly, in your firewall, permitting (via nat/static <STRONG><EM>and</EM></STRONG> ACL) the range configured in number 1.</P><P><EM>In a Windows environment, Cerberus is a great FTP/FTPS/SFTP server that has the necessary features and functions.</EM></P></LI></OL><P></P><P>For example:</P><P></P><P>Say your FTPS server has an inside IP 192.168.1.10 and outside IP 1.1.1.2.</P><P></P><UL><LI>Configure your FTPS server software to use TCP/35000 to TCP/35999 as a range for passive clients.</LI><LI>Configure your FTPS server software to send 1.1.1.2 as the IP for&nbsp; passive clients. </LI><LI>Configure your ASA to NAT (using static NAT or static PAT range) for TCP/35000 to TCP/35999 (plus TCP/21, TCP/990, etc.)</LI><LI>Configure your ASA to ACL permit TCP/35000 to TCP/35999 to the the FTPS server (plus TCP/21, TCP/990, etc.)</LI></UL><P></P><P>Now when clients connect in from the WAN using implicit or explicit&nbsp; FTPS, the FTPS server will send back the correct WAN IP address (not its&nbsp; private address) and a TCP port in a known range to be used in the data&nbsp; channel.&nbsp; Having specifically NAT'd and ACL permitted the TCP ports,&nbsp; ASA inspection/fixup is not required.</P><P></P><P>Let me know if you have any questions.</P><P></P><P>Regards</P></BODY></HTML> Thu, 05 Dec 2013 17:00:27 GMT https://community.cisco.com/t5/network-security/does-asa-8-2-support-ftps-without-clear-command-channel/m-p/2356503#M307693 gurpsin2 2013-12-05T17:00:27Z