02-04-2008 11:29 AM - edited 03-11-2019 04:58 AM
I need to connect to FTP server over SSL, to a server that I do not have any control over. My problem is the ASA does not allow the connection because it is going over SSL and so it can not inspect the packets. Does anyone have a work around for this, I only need this to work for 1 internal client, so I thought maybe a 1:1 NAT would work but it didn't, or I didn't do it correctly. I have talked to the people that run the FTP server and all they were able to tell me is to make sure ports 20&21 and ports greater than 1024 are open to their server. Any suggestions would be apreciated. Thanks
02-04-2008 12:37 PM
I know with some SSL FTP servers, the administrator can choose which ports above 1024 it will use. Unfortunately it doesn't sound like you're going to get that level of cooperation from them. Do the static NAT, and then just allow all those ports from that one server?
02-04-2008 02:20 PM
This is 2008, not 1998. FTP should be banned.
There is a very simple solution to this. Secure
Copy, scp. scp runs on as a sub-system of SSH,
and that you can encrypt your traffics with
AES256-cbc with sha-1. Make it very on the
firewall and anyone managing it. Allow
tcp port 22 on the firewall and you're set.
CCIE Security
02-04-2008 06:45 PM
I agree with you 100%, however I don't have a choice. What is really irritating is the organization we are sending this data to used to have a SSL secured website you could just upload it to, but they switched back to FTP over SSL, because they "claimed" it was more secure. I am going to try the static NAT and will let you know what happens.
02-05-2008 07:02 AM
Ok so I tried the following and it didn't work. I admit I probably did something wrong.
static (inside, outside)
access-list ftps extended permit ip host
And then I applied it to the outside interface
access-group ftps in interface outside
Let me know what I did wrong. Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide