cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
657
Views
0
Helpful
1
Replies

Does ASA 8.2 Support FTPS Without Clear Command Channel

dohogue
Level 1
Level 1

We are running a 5520 ASA @ Version 8.2. What needs to be done to configure it to support FTPS?

Thanks,

Doug

1 Reply 1

gurpsin2
Level 1
Level 1

ASA cannot inspect SSL/TLS encrypted  traffic.  The breakdown occurs when the data channel is being built.   Whether in active or passive mode, L3 (IP) and L4 (port) information  regarding the data channel are transferred in the FTP/FTPS control  channel.  With traditional FTP and the ASA's FTP inspection, this data  is "inspected" and "fixed" to match the public/outside/whatever  interface IP and the ASA dynamically adds a permit ACL to allow the data  channel traffic.

With SSL/TLS (as part of FTPS) the ASA cannot see the necessary  control channel details to "inspect" or "fix" what is necessary to make  the data channel work.  As such, you will need to have some added  smarts/capability built into the FTPS server application you are using.

Capabilities include the following:

  1. The ability to set the port range sent in the control channel to be  used for the data channel as used by passive mode (PASV) clients.
  2. The ability to set the IP address sent in the control channel to be  used for the data channel as used by passive mode (PASV) clients.
  3. Lastly, in your firewall, permitting (via nat/static and ACL) the range configured in number 1.

    In a Windows environment, Cerberus is a great FTP/FTPS/SFTP server that has the necessary features and functions.

For example:

Say your FTPS server has an inside IP 192.168.1.10 and outside IP 1.1.1.2.

  • Configure your FTPS server software to use TCP/35000 to TCP/35999 as a range for passive clients.
  • Configure your FTPS server software to send 1.1.1.2 as the IP for  passive clients.
  • Configure your ASA to NAT (using static NAT or static PAT range) for TCP/35000 to TCP/35999 (plus TCP/21, TCP/990, etc.)
  • Configure your ASA to ACL permit TCP/35000 to TCP/35999 to the the FTPS server (plus TCP/21, TCP/990, etc.)

Now when clients connect in from the WAN using implicit or explicit  FTPS, the FTPS server will send back the correct WAN IP address (not its  private address) and a TCP port in a known range to be used in the data  channel.  Having specifically NAT'd and ACL permitted the TCP ports,  ASA inspection/fixup is not required.

Let me know if you have any questions.

Regards