Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3224
Views
0
Helpful
4
Replies

FTPS via ASA

mvsheik123
Level 7
Level 7

‎03-25-2010 07:12 AM - edited ‎03-11-2019 10:25 AM

Hi all,

We have ASA5510/20 running in NAT/routed mode. We received a request to open ports for internal server to make FTPS connection to outside servers. Internal server initiate the connection. External vendor asked us to open 9021 (FTP ctrl) & 20000-20099 (PASV/EPASV) for their IPs. Long time back while I was testing with FTPS via PIX, ran into some data transfer issues. Never got a chance to check on it later.The ASAs running 7.2 (4) and 7.1 (2). Using One-one NAT for servers. Do this still poses encryption issues for FTPS or not to expect any issues for the FTPS connectivity (with the above said ports opened).

Thanks in advance

MS

Labels:
0 Helpful
4 Replies 4

shailesh.h
Level 1
Level 1

‎03-25-2010 08:34 AM

1. You are using one-to-one NAT with FTP exposed to outside should not have problem is application running on the defined ports by the server admin team.

2. To get insight view you can monitor the sample FTP sessions and check for any dropping of the packet. If you still face problem ask server team to carry out the sample FTP from inside network. If it successful then should be successful from outside as well.

3. Sometime even on servers some policies maintained either by antivirus or FTP application.. needs to have visibility beside network access control

Hope this will help you to resolve the problem

0 Helpful

mvsheik123
Level 7
Level 7
In response to shailesh.h

‎03-25-2010 12:54 PM

Hi Shilesh,

Thanks for the reply. But with the case of FTPS (FTP/SSL), due to the encryption there may be an issue while Firewall inspect the incoming traffic. Thanks again.

MS

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to mvsheik123

‎03-25-2010 02:48 PM

Absolutely correct. Since the FTP is encrypted, ASA is not able to inspect into the FTP packet to dynamically open pinhole for FTP Data.

0 Helpful

shailesh.h
Level 1
Level 1
In response to mvsheik123

‎03-26-2010 03:32 AM

>> Did you manage to check the same whether FTPS working locally? If yes, then get the output of netstat

- n from the system. It will show you the ports open on the server. This also confirm if there is an issue with server or client.

>> Once this confirms you can get one side that there is no problem with FTPS server and client software they are using..

>> You can cross verify the ports with the output of netstat -n command

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card