https://community.cisco.com/t5/network-security/sftp-through-cisco-asa/m-p/2100546#M392448 <P style="margin: 0cm; margin-bottom: .0001pt;">Hi,</P><P></P><P style="margin: 0cm; margin-bottom: .0001pt;"><SPAN style="font-size: 10pt;"> </SPAN></P><P style="margin: 0cm; margin-bottom: .0001pt;">We are trying to get SFTP working from a server (x.x.128.13) within our network to another companies server (x.x.114.132) which we connect to via the Internet.&nbsp; From our server the connection hits our ASA Firewall where we have rules in place to allow the connection on a customised port of 29052. The firewall then NAT's the Source IP of our server to a Public IP (x.x.36.60), thus making it routable on the Internet.</P><P></P><P></P><P style="margin: 0cm; margin-bottom: .0001pt;">We have done some packet captures on our ingress (inside) interface and egress (internet) interface and we can see that the 3 way TCP handshake is successful between the two servers but then all further communication fails.</P><P></P><P style="margin: 0cm; margin-bottom: .0001pt;"><SPAN style="font-size: 10pt;"> </SPAN></P><P style="margin: 0cm; margin-bottom: .0001pt;">We see no further packets on our ingress interface but we do see further packets on the egress side.&nbsp; What we see is a "RST+ACK" from the destination server but this is never passed on to the server within our network.&nbsp; We also see our ack packet from the 3 way handshake being sent back to the destination server but again this only appears for the egress capture, and is not being sent by the server.&nbsp; Both of these packets repeat about 6 times and then we see nothing further.</P><P></P><P>I have attached the packet capture.</P><P></P><P>At the far end the 3rd party don't see any of our repeated ACK's and when the connection works normally through a different infrastructure/firewall we see the 4th packet as a normal packet.&nbsp; The initial payload of this RST+ACK is the same payload we see in the 4th packet when the connection works.</P><P></P><P style="margin: 0cm; margin-bottom: .0001pt;">Any help with this would be appreciated.</P><P><SPAN style="font-size: 10pt;"> </SPAN></P><P style="margin: 0cm; margin-bottom: .0001pt;">Regards</P><P></P><P style="margin: 0cm; margin-bottom: .0001pt;">Stuart</P> Tue, 12 Mar 2019 00:50:14 GMT soliver2005 2019-03-12T00:50:14Z https://community.cisco.com/t5/network-security/sftp-through-cisco-asa/m-p/2100546#M392448 <P style="margin: 0cm; margin-bottom: .0001pt;">Hi,</P><P></P><P style="margin: 0cm; margin-bottom: .0001pt;"><SPAN style="font-size: 10pt;"> </SPAN></P><P style="margin: 0cm; margin-bottom: .0001pt;">We are trying to get SFTP working from a server (x.x.128.13) within our network to another companies server (x.x.114.132) which we connect to via the Internet.&nbsp; From our server the connection hits our ASA Firewall where we have rules in place to allow the connection on a customised port of 29052. The firewall then NAT's the Source IP of our server to a Public IP (x.x.36.60), thus making it routable on the Internet.</P><P></P><P></P><P style="margin: 0cm; margin-bottom: .0001pt;">We have done some packet captures on our ingress (inside) interface and egress (internet) interface and we can see that the 3 way TCP handshake is successful between the two servers but then all further communication fails.</P><P></P><P style="margin: 0cm; margin-bottom: .0001pt;"><SPAN style="font-size: 10pt;"> </SPAN></P><P style="margin: 0cm; margin-bottom: .0001pt;">We see no further packets on our ingress interface but we do see further packets on the egress side.&nbsp; What we see is a "RST+ACK" from the destination server but this is never passed on to the server within our network.&nbsp; We also see our ack packet from the 3 way handshake being sent back to the destination server but again this only appears for the egress capture, and is not being sent by the server.&nbsp; Both of these packets repeat about 6 times and then we see nothing further.</P><P></P><P>I have attached the packet capture.</P><P></P><P>At the far end the 3rd party don't see any of our repeated ACK's and when the connection works normally through a different infrastructure/firewall we see the 4th packet as a normal packet.&nbsp; The initial payload of this RST+ACK is the same payload we see in the 4th packet when the connection works.</P><P></P><P style="margin: 0cm; margin-bottom: .0001pt;">Any help with this would be appreciated.</P><P><SPAN style="font-size: 10pt;"> </SPAN></P><P style="margin: 0cm; margin-bottom: .0001pt;">Regards</P><P></P><P style="margin: 0cm; margin-bottom: .0001pt;">Stuart</P> Tue, 12 Mar 2019 00:50:14 GMT https://community.cisco.com/t5/network-security/sftp-through-cisco-asa/m-p/2100546#M392448 soliver2005 2019-03-12T00:50:14Z https://community.cisco.com/t5/network-security/sftp-through-cisco-asa/m-p/2100547#M392449 <HTML><HEAD></HEAD><BODY><P>Hello Soliver,</P><P></P><P>So basically you are using a customized program that will allow you to run SFTP over port <SPAN style="font-size: 10pt;">29052? Right?</SPAN></P><P></P><P>Either way it's just a single channel so it should not be any problem regarding the firewall not being able to identify the data channel ( as there is only one for both the control/data communication)</P><P></P><P>Is there a way you could share those captures on wireshark.....</P><P></P><P>Also do the following capture</P><P>cap asp type asp-drop all circular-buffer</P><P>Then try to connect and share</P><P>show cap asp | include <SPAN style="font-size: 10pt;">x.x.114.132</SPAN></P><P></P><P><SPAN style="font-size: 10pt;">This will show us if the firewall is dropping some traffic based on it's code ( Acellerated Security Path algorithm)</SPAN></P><P></P><P><SPAN style="font-size: 10pt;">Regards,</SPAN></P><P></P><P><SPAN style="font-size: 10pt;">Julio Carvajal </SPAN></P><P><SPAN style="font-size: 10pt;"><BR /></SPAN></P></BODY></HTML> Mon, 21 Jan 2013 18:40:25 GMT https://community.cisco.com/t5/network-security/sftp-through-cisco-asa/m-p/2100547#M392449 Julio Carvajal 2013-01-21T18:40:25Z