01-10-2011 05:45 AM - edited 03-11-2019 12:33 PM
Hi,
How do you define ftps service? tcp/989, tcp/990 and tcp/20, plus service policy inspection ftp?
Any help would be appreciated.
01-10-2011 06:14 AM
Under the policy-map you would enable inspect ftp. This will inspect tcp 21 and depending on active or passive ftp will automatically open pin holes for
data channel.
policy-map global_policy
class inspection_default
inspect ftp
inspect icmp
.
.
inspect tftp
service-policy global_policy global
Sorry didn't realize you are asking for secure ftp. That cannot be inspected.
-KS
01-10-2011 07:00 AM
Dear Sankar,
By the way I mean ftps and not sftp. But you mean that ftps connections cannot be dynamically mapped? What is the most secure approach to ftps which can go over 990/989 and some dynamic ports.
01-10-2011 07:16 AM
That is correct. The FTP inspection engine does not understand the SSL/TLS negotiation.
I am not sure making FTPS work is as simple as permitting ports 989/990. You probably
would also have to open dynamic ports as well - may be a range 50000-50004 or something that is required.
-KS
01-10-2011 07:20 AM
But Cisco should have a best practice configuration guide on how to do that,no?
From checkpoint you get something like:
· ftp-ssl-control: port 990
· ftp-ssl-data: port number ">1024" (greater than 1024), source port 989
I was expecting that Cisco has this as well. Does Cisco not maintain a best practices configuration for all kinds of protocols, if not you should at one!
01-10-2011 07:33 AM
I am really not sure. Let me see if I can find out for you.
-KS
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide