Does ASA 8.2 Support FTPS Without Clear Command Channel
ASA cannot inspect SSL/TLS encrypted traffic. The breakdown occurs when the data channel is being built. Whether in active or passive mode, L3 (IP) and L4 (port) information regarding the data channel are transferred in the FTP/FTPS control channel. With traditional FTP and the ASA's FTP inspection, this data is "inspected" and "fixed" to match the public/outside/whatever interface IP and the ASA dynamically adds a permit ACL to allow the data channel traffic.
With SSL/TLS (as part of FTPS) the ASA cannot see the necessary control channel details to "inspect" or "fix" what is necessary to make the data channel work. As such, you will need to have some added smarts/capability built into the FTPS server application you are using.
Capabilities include the following:
The ability to set the port range sent in the control channel to be used for the data channel as used by passive mode (PASV) clients.
The ability to set the IP address sent in the control channel to be used for the data channel as used by passive mode (PASV) clients.
Lastly, in your firewall, permitting (via nat/static and ACL) the range configured in number 1.
In a Windows environment, Cerberus is a great FTP/FTPS/SFTP server that has the necessary features and functions.
Say your FTPS server has an inside IP 192.168.1.10 and outside IP 220.127.116.11.
Configure your FTPS server software to use TCP/35000 to TCP/35999 as a range for passive clients.
Configure your FTPS server software to send 18.104.22.168 as the IP for passive clients.
Configure your ASA to NAT (using static NAT or static PAT range) for TCP/35000 to TCP/35999 (plus TCP/21, TCP/990, etc.)
Configure your ASA to ACL permit TCP/35000 to TCP/35999 to the the FTPS server (plus TCP/21, TCP/990, etc.)
Now when clients connect in from the WAN using implicit or explicit FTPS, the FTPS server will send back the correct WAN IP address (not its private address) and a TCP port in a known range to be used in the data channel. Having specifically NAT'd and ACL permitted the TCP ports, ASA inspection/fixup is not required.
ISE 2.7 Guest Access Management Features
The following document explains the guest features of ISE 2.7. For more detail of what ISE 2.7 has to offer please check the associated documentation.
Auto Login on Sponsor Approval
SymptomsOutage during FTD code upgrade DiagnosisThe FTD code upgrade thru FMC will cause the traffic interruptionSolutionBelow process will upgrade the FTD with no downtime and no traffic interruption.Before the upgrade process:Download the FTD platf...
Process for FTD migration with PolicyAs per Cisco documentation, we have below steps for for de-register and register process. Please follow below steps :Step 1 : Break HA pair and de-register your FTD from FMC (old).Step 2 : Register your primary FTD wit...
Hi There,Is there a relationship between the hardware of the Cisco ASA 5505 FWs (V02) and the 9.x software version? Multiple ASA have been successfully updated with the same software. The ASAs that have been updated without any problems are V06 versi...
Dear Cisco Customers and Partners,
We know that the Cisco Identity Services Engine (ISE) is a critical element of your network security and so stability is of paramount importance. As a result, many of you asked us for a suggested release given sev...