07-22-2011 03:15 AM - edited 03-11-2019 02:02 PM
I have a ASA 5505 configured in PAT mode and a FTPS (FTP over SSL/TLS) server on the inside interface. I tried for a while now to configure the ASA to open up ports to the FTP on the following ports:
FTP port: 7800
Passive port range: 55536-55663
But I cant get it to work, as far as I have got is too open the main FTP port so I can do a socket level connect, but not to get the whole thing working.
Any tips ?
07-22-2011 03:46 AM
This is a bit related with which SFTP flavor are you using. If it is FTP over SSH it should be TCP/22 or the port number configured in ssh server. If it is the one as described in RFC 4217 (previously 2228), SFTP server by default listens on the IANA Well Known Port 990/TCP for the FTPS control channel and 989/TCP for the FTPS data channel.
In secure SFTP implementations we should not use dynamic port assigment, If we use ASA has no chance to inspect this secure conversation. So you dont have to open whole range of ports in ASA ACLs.
07-22-2011 04:48 AM
Sorry, sloppy posting.
Its FTP just allowing SSL/TLS connections, called FTPS I think, on non-standard ports.
07-22-2011 08:03 AM
i would suggest using wireshark to connect locally(without ASA in between) and check the exact port numbers the FTP is using and then allowing those ports in ASA.
07-22-2011 09:44 AM
I know the port numbers, they are in my first post. Just cant get the access rules and/or inspections to work so the FTPS session work.
07-22-2011 08:18 PM
That it what i am trying to say that if it is not working after specifying after access rules then it may be using some other port also.
can you paste the access rules and nat statement here? and it would be better if you can just put a wireshark at the client end to see at what phase the connection stops exactly?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide