Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2650
Views
0
Helpful
7
Replies

Allowing Passive SFTP traffic via Cisco ASA

mahesh18
Level 6
Level 6

‎03-12-2015 08:04 AM - edited ‎03-11-2019 10:37 PM

 

Hi Everyone,

 

I need to allow passive FTP traffic via ASA.

Client PC is inside out network and Server is outside our network.

As FTP data channel uses random ports for data transfer.

Should i need to open additional ports on ASA in addition to port 21 to make this work?

 

Regards

MAhesh

Labels:
0 Helpful
7 Replies 7

cciesec2011
Level 3
Level 3

‎03-12-2015 08:31 AM

some clarifications here:

 

FTP uses port 21 for command & control and random port for data transfer.  In your case, since you're using passive FTP, the client will initiate both command & control and data transfer.  FTP server does NOTHING.

 

sFTP (aka, scp) uses tcp port 22 (or whatever port you specifiy in the sshd_config).

 

By design, inside hosts can access hosts on the outside you just need to enable "fix-up protocol ftp 21" and that will take care of both Active & Passive FTP from hosts on the inside to outside network.

0 Helpful

mahesh18
Level 6
Level 6
In response to cciesec2011

‎03-12-2015 09:28 AM

 

FTP inspection is enabled on the ASA.

I will ask the user to test the connection and will update you if it works without opening up additional

ports for data channel.

 

Regards

MAhesh

0 Helpful

cciesec2011
Level 3
Level 3
In response to mahesh18

‎03-12-2015 10:59 AM

Look like FTP inspection is NOT enabled your ASA because your own ASA is blocking your traffics.  Can you share the output of the command "sh run policy-map global_policy"?

0 Helpful

mahesh18
Level 6
Level 6
In response to cciesec2011

‎03-12-2015 11:06 AM

FTP inspection is enabled

 

sh run              policy-map   global_policy
!
policy-map global_policy
 class inspection_default
  inspect pptp
  inspect ftp
 

Regards

MAhesh

0 Helpful

cciesec2011
Level 3
Level 3
In response to mahesh18

‎03-12-2015 11:42 AM

try this:

 

1)  no fixup protocol ftp 21

     fixup protocol ftp 21

 

then try the connection again

0 Helpful

mahesh18
Level 6
Level 6
In response to cciesec2011

‎03-12-2015 01:46 PM

 

Tried the connection as you said.

Same thing.

Also i got port range from vendor then i open up data ports from 50000 50010

After that user was able to connect fine.

Normally we do not need to open Data ports if FTP inspection is enabled right?

So does it mean the ASA OS i am using can have bug?

 

Regards

MAhesh

0 Helpful

mahesh18
Level 6
Level 6
In response to cciesec2011

‎03-12-2015 10:13 AM

We tested with user PC and he is not able to connect.

Check the firewall log it shows

 

Mar 12 2015 16:11:26: %ASA-4-106023: Deny tcp src Internal:192.168.50.21/58840 dst outside:205.x.x.x/50009 by access-group "Inside_access_in" [0x4e3d0ed5, 0x0].

 

Seems it is trying to connect on port 50009.

I asked vendor to send us list of Data channel ports which they have assigned to server?

 

Regards

MAhesh

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card