Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3916
Views
0
Helpful
4
Replies

FTP over TLS not working

piatthi1983
Level 1
Level 1

‎06-01-2012 06:59 AM - edited ‎03-11-2019 04:14 PM

hi all,

i configured port redirection on ASA to allow external user access to Internal FTPS Server.  but it's not working

i use Filezilla client to access but i have this error.

Statut :    Connexion à x.x.x.x:21...

Statut :    Connexion établie, attente du message d'accueil...

Réponse :    220-Microsoft FTP Service

Réponse :    220 FTP-Server FTP

Commande :    AUTH TLS

Réponse :    234 AUTH command ok. Expecting TLS Negotiation.

Statut :    Initialisation de TLS...

Erreur :    Délai d'attente expiré

Erreur :    Impossible d'établir une connexion au serveur

please can somebody know what can cause this issue ?

thanks for your help

Labels:
0 Helpful
4 Replies 4

Julio Carvajal
VIP Alumni
VIP Alumni

‎06-01-2012 08:49 AM

Hello,

Is this FTPS server working on active mode?

Can you share the nat configuration for the server?

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

piatthi1983
Level 1
Level 1
In response to Julio Carvajal

‎06-01-2012 08:55 AM

ASA is configured in Passive Mode.

this is NAT configuration

static (DMZ1,outside) tcp  interface  20  'ftps-server-private IP'  20

static (DMZ1,outside) tcp  interface  21  'ftps-server-private IP'  21

access-list outside_access_in  extended permit tcp any host 'Outside_public_IP' eq 20

access-list outside_access_in  extended permit tcp any host 'Outside_public_IP' eq 21

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to piatthi1983

‎06-01-2012 09:32 AM

Hello,

Here is a document that you will need to read

https://supportforums.cisco.com/docs/DOC-23206

As you can see you will be using   FTPS (FTP over SSL) that uses port 990 for the control channel (this information is encrypted) and the data channel goes on plain text.

Is there a way you can use a static one to one and then allow port 990 on the outside ACL?

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

hobbe
Level 7
Level 7

‎06-01-2012 12:02 PM

Hi

FTPS is not supported in the ASA.

Due to the problem of traffic beeing encrypted.

However you can in some FTPS servers setup that you are only able to use some few ports.

Then you can open for all those ports that you have choosen.

If you want a better alternative than FTPS use SFTP.

FTPS is firewall unfriendly

SFTP is firewall friendly

SFTP will work correctly all the time.

Good luck

HTH

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card