topic Re: Allowing encrypted FTP traffic in Network Security

Allowing encrypted FTP traffic

greatbay1 — Fri, 21 Feb 2020 15:17:55 GMT

When I create a simple FTP entry, this works:

object network BH

host 99.199.xx.xx

object network FTP_APACHE01

host 10.10.31.159

nat (inside,BH) static interface service tcp ftp ftp

access-list BH extended permit tcp any host 10.10.31.159 eq ftp

I'm able to connect with FTP from outside the company.

However, when trying to create an encrypted FTP allowance, it's a PAIN.

We're using FileZilla to create an FTPS (FTP over TLS support) with the following configuration:

Allow the following ports to 10.10.31.159:

Port 21

Port 990

Passive custom port range: 50000-51000

Internal IP: 10.10.31.159

How do I configure the Cisco ASA 5510 v9.1 to allow FTPS from outside our firewall?

Any help would be appreciated...

Thanks

Re: Allowing encrypted FTP traffic

Francesco Molino — Wed, 07 Feb 2018 02:45:07 GMT

You have 2 choices.

If you have enough public IPs you can do a static 1:1 nat and filter all ports within outside acl.

Or you can create your nat based on ports range like:

object network FTPsrv

host 10.10.31.159

object service PassiveFTP

service tcp destination range 50000 51000

nat (outside,inside) source static any any destination static YourPublicIP FTPsrv services PassiveFTP PassiveFTP

access-list outside_access_in extended permit tcp any host 10.10.31.159 range 50000 51000

You'll need to create another 2 nat for other ports 21 and 990.

Can you test that and let me know?

Re: Allowing encrypted FTP traffic

greatbay1 — Wed, 07 Feb 2018 13:15:30 GMT

Ok, I'm trying your config entry

==
interface Ethernet0/0
description outside
nameif BH
security-level 0
ip address 99.199.xx.xx 255.255.255.248 standby 99.199.xx.xx
!
object network BH_Interface
host 99.199.xx.xx
!
object network FTP_APACHE01
host 10.10.31.159
object service PassiveFTP
service tcp destination range 50000 51000
nat (BH,inside) source static any any destination static BH_Interface FTP_APACHE01 service PassiveFTP PassiveFTP
!
access-list BH extended permit tcp any host 10.10.31.159 range 50000 51000
==

I entered "object network FTP_APACHE01", that goes through.
I entered "object service PassiveFTP", that goes through.

However, when I try your following config line:
nat (outside,inside) source static any any destination static YourPublicIP FTPsrv services PassiveFTP PassiveFTP
Here's mine:
nat (BH,inside) source static any any destination static BH_Interface FTP_APACHE01 service PassiveFTP PassiveFTP

!
GBSP-FW1(config-service-object)# nat (BH,inside) source static any any destination static BH_Interface FTP_APACHE01 service PassiveFTP PassiveFTP
ERROR: Address 99.199.xx.xx overlaps with BH interface address.
ERROR: NAT Policy is not downloaded
GBSP-FW1(config)#

What I'm I missing?

Re: Allowing encrypted FTP traffic

Francesco Molino — Thu, 08 Feb 2018 00:02:00 GMT

Please share your config to see why it's complaining about overlap. Sure there's because it pops up this message but don't have your config to help you adapt the config

Re: Allowing encrypted FTP traffic

greatbay1 — Tue, 13 Feb 2018 21:23:57 GMT

After doing much research and talking to management, we found it much easier to use SFTP.

I found a little simple FTP server that uses both FTPS and SFTP. It's called FreeFTPd (http://www.freesshd.com/?ctt=download), and it's FREE.

It uses a single port for the connection and the traffic is encrypted.

Cisco ASA

conf t

! Step 1. create network object

! Cisco ASDM ver. 7.4

! ASA Version 9.1(6)1

object network FTP_APACHE01

host 10.10.31.159

object network FTP_APACHE01_990

host 10.10.31.159

exit

! Step 2. create nat policy

object network FTP_APACHE01

nat (inside,BH) static interface service tcp ftp ftp

object network FTP_APACHE01_990

nat (inside,BH) static interface service tcp 990 990

exit

! Step 3. create the access rule or firewall access

access-list BH extended permit tcp any host 10.10.31.159 eq ftp log

access-list BH extended permit tcp any host 10.10.31.159 eq 990

end

VERIFY FTP

packet-tracer input BH tcp 172.217.14.174 4444 99.199.xx.xx 21

packet-tracer input BH tcp 172.217.14.174 4444 99.199.xx.xx 990

capture FTP_TEST interface BH match tcp any any eq 21

show capture FTP_TEST

capture FTP_TEST_990 interface BH match tcp any any eq 990

show capture FTP_TEST_990