https://community.cisco.com/t5/network-security/secure-ftp-through-pix-and-vpn-l2l/m-p/1729044#M537037 <HTML><HEAD></HEAD><BODY><P>Hi Jose, </P><P></P><P>Over the tunnel I dont think there is any problem, you see, the issue comes when opening the data channel in order to pass the file, since the inpsection on the ASA (That works looking at the payload on port 21)&nbsp; does not see what port is going to be used nor the IPs involed, he wont open the data channel. </P><P></P><P>But on a VPN tunnel (under normal circunstances) you have permit ip any any for the interesting traffic, meaning all IP traffic is going to pass across it. </P><P></P><P>What I am trying to say is that, for traffic flowing from inside to outside with no VPN on it, it should failed (as documented), over the tunnel, I dont see why would it failed. </P><P></P><P>I am starting thinking that the problem can be related to the interesting traffic define on the Tunnel itself. </P><P></P><P>Hope it helps. </P><P></P><P>Mike </P></BODY></HTML> Tue, 28 Jun 2011 17:12:35 GMT Maykol Rojas 2011-06-28T17:12:35Z https://community.cisco.com/t5/network-security/secure-ftp-through-pix-and-vpn-l2l/m-p/1729043#M537036 <P>Hi everybody,&nbsp; I have this need from a customer. They have multiple VPN L2L connections with multiple offices (the configuration is a mess) but the issue is:&nbsp; One of the Sites needs to use SFTP to transfer file from that branch office to the main office. They use a software like FileZilla acting like the SFTP.&nbsp; When they transfer the files using FTP the tunnel goes up and the transfer is successfull. But when they try to use SFTP not even the authentication happens, and the VPN tunnel does not go up.</P><P></P><P>I've been reading the post about SFTP and some say it works some other said it does not. I read at Cisco documentation and they say it is not possible becasuse the SSH encryption. Please somebody clarify if the use of SFTP is possible through a PIX firewall or an ASA firewall and what consideration should I have.</P><P></P><P>Regards</P><P></P><P>Jose</P> Mon, 11 Mar 2019 20:52:12 GMT https://community.cisco.com/t5/network-security/secure-ftp-through-pix-and-vpn-l2l/m-p/1729043#M537036 jose cortes 2019-03-11T20:52:12Z https://community.cisco.com/t5/network-security/secure-ftp-through-pix-and-vpn-l2l/m-p/1729044#M537037 <HTML><HEAD></HEAD><BODY><P>Hi Jose, </P><P></P><P>Over the tunnel I dont think there is any problem, you see, the issue comes when opening the data channel in order to pass the file, since the inpsection on the ASA (That works looking at the payload on port 21)&nbsp; does not see what port is going to be used nor the IPs involed, he wont open the data channel. </P><P></P><P>But on a VPN tunnel (under normal circunstances) you have permit ip any any for the interesting traffic, meaning all IP traffic is going to pass across it. </P><P></P><P>What I am trying to say is that, for traffic flowing from inside to outside with no VPN on it, it should failed (as documented), over the tunnel, I dont see why would it failed. </P><P></P><P>I am starting thinking that the problem can be related to the interesting traffic define on the Tunnel itself. </P><P></P><P>Hope it helps. </P><P></P><P>Mike </P></BODY></HTML> Tue, 28 Jun 2011 17:12:35 GMT https://community.cisco.com/t5/network-security/secure-ftp-through-pix-and-vpn-l2l/m-p/1729044#M537037 Maykol Rojas 2011-06-28T17:12:35Z https://community.cisco.com/t5/network-security/secure-ftp-through-pix-and-vpn-l2l/m-p/1729045#M537038 <HTML><HEAD></HEAD><BODY><P>Hi Mykol,&nbsp; But, when I try to do a FTP transfer the tunnel works... that's why I though the problem is the SSH encryption. As you said the interesting traffic is allowed by a "permit any" rule. So I cannot figure out what else could be failing but the 'S' at SFTP.&nbsp; Regards,&nbsp; Jose</P></BODY></HTML> Tue, 28 Jun 2011 17:28:34 GMT https://community.cisco.com/t5/network-security/secure-ftp-through-pix-and-vpn-l2l/m-p/1729045#M537038 jose cortes 2011-06-28T17:28:34Z https://community.cisco.com/t5/network-security/secure-ftp-through-pix-and-vpn-l2l/m-p/1729046#M537039 <HTML><HEAD></HEAD><BODY><P>On the pix, would you please do the following? </P><P></P><P>packet-tracer input inside tcp <INSIDE_HOST_IP> 1025 <SFTP_SERVER> 22 </SFTP_SERVER></INSIDE_HOST_IP></P><P></P><P>Cheers </P><P></P><P>Mike </P></BODY></HTML> Tue, 28 Jun 2011 17:38:23 GMT https://community.cisco.com/t5/network-security/secure-ftp-through-pix-and-vpn-l2l/m-p/1729046#M537039 Maykol Rojas 2011-06-28T17:38:23Z