Solved: Re: Help to Allow SFTP through ASA Firewall to External Server

bavingtonm · ‎12-16-2024

Hi

Please could someone assist me with how to configure SFTP client traffic through an ASA FW to an external server address.

I have inherited the issue and its been a while since I performed similar tasks and all commands on the appliance seem to have changed since I last worked on Cisco Pix FW.

Requirements:

I need a specific internal server SFTP client (10.125.120.0/24 network) to upload to an external server (10.200.10.0 network).

Can someone please help me and assist me with the correct command to enter?

Cisco Adaptive Security Appliance Software Version 9.8 (1)

All suggestions welcomed and many thanks in advance.

Thanks

Rob Ingram · ‎12-16-2024

@bavingtonm I assume you have an ACL applied inbound on your inside interface that is restricting egress traffic?

As below, create objects to represents your internal and external subnet. Then you need to find out the name of your ACL applied inbound on the inside interface and create a rule similar to below, just replace <<YOUR ACL NAME>> with the name of your ACL.

object network SFTP-Clients
 subnet 10.125.120.0 255.255.255.0
object network SFTP-Servers
 subnet 10.200.10.0 255.255.255.0
!
access-list <<YOUR ACL NAME>> permit tcp object SFTP-Clients object SFTP-Servers eq 22

You can find the name of the ACL by using the command "show run | i access-group" and look for the ACL applied on the "in" direction of the inside interface.

View solution in original post

Rob Ingram · ‎12-16-2024

@bavingtonm I assume you have an ACL applied inbound on your inside interface that is restricting egress traffic?

As below, create objects to represents your internal and external subnet. Then you need to find out the name of your ACL applied inbound on the inside interface and create a rule similar to below, just replace <<YOUR ACL NAME>> with the name of your ACL.

object network SFTP-Clients
 subnet 10.125.120.0 255.255.255.0
object network SFTP-Servers
 subnet 10.200.10.0 255.255.255.0
!
access-list <<YOUR ACL NAME>> permit tcp object SFTP-Clients object SFTP-Servers eq 22

You can find the name of the ACL by using the command "show run | i access-group" and look for the ACL applied on the "in" direction of the inside interface.

bavingtonm · ‎12-16-2024

Presumably I can create this ACL with a new ACL NAME eg. "sftp-access" and apply alongside the other ACLs that are already configured?

thanks

Rob Ingram · ‎12-16-2024

@bavingtonm no, you can only have one ACL applied to an interface in the same direction. As I mentioned, you need to modify your existing ACL that is applied to the inside interface on the "in" direction.

MHM Cisco World · ‎12-16-2024

From Cisco doc.

Unable to Run FTPS (FTP Over SSL) across ASA

FTP with TLS/SSL (SFTP / FTPS) is not supported through the Security Appliance. FTP connection is encrypted, so there is no way that the firewall is able to decrypt the packet. Refer to PIX/ASA: Security Appliance FAQ for more information.

MHM

Aref Alsouqi · ‎12-17-2024

As @Rob Ingram suggested, adding a new access list entry with destination port 22/tcp to your existing access list will do the trick because SFTP uses port 22/tcp by default. The place where you add this new entry depends on how the existing access list is configured. For instance if you have an explicit deny rule that would include the subnet 10.125.120.0/24 going to anywhere then the new entry should be placed above that explicit deny rule. In that case you can use the line number alongside the new entry. Here is an example of how to use the line number:

access-list <<YOUR ACL NAME>> line 15 extended permit tcp object SFTP-Clients object SFTP-Servers eq 22

To check the access lists entries line number, you can use the command "sh access-list <<YOUR ACL NAME>>".

bavingtonm · ‎12-17-2024

Thank you all for the comments and assistance, all now working as expected!

MHM Cisco World · ‎12-17-2024

do you pass the inspection ?

can I see how you bypass inspection

thanks

MHM