Secure FTP (SSL/TLS)

burann4242 · ‎07-22-2011

I have a ASA 5505 configured in PAT mode and a FTPS (FTP over SSL/TLS) server on the inside interface. I tried for a while now to configure the ASA to open up ports to the FTP on the following ports:

FTP port: 7800

Passive port range: 55536-55663

But I cant get it to work, as far as I have got is too open the main FTP port so I can do a socket level connect, but not to get the whole thing working.

Any tips ?

denizkaya · ‎07-22-2011

This is a bit related with which SFTP flavor are you using. If it is FTP over SSH it should be TCP/22 or the port number configured in ssh server. If it is the one as described in RFC 4217 (previously 2228), SFTP server by default listens on the IANA Well Known Port 990/TCP for the FTPS control channel and 989/TCP for the FTPS data channel.

In secure SFTP implementations we should not use dynamic port assigment, If we use ASA has no chance to inspect this secure conversation. So you dont have to open whole range of ports in ASA ACLs.

burann4242 · ‎07-22-2011

Sorry, sloppy posting.

Its FTP just allowing SSL/TLS connections, called FTPS I think, on non-standard ports.

Jitendra Siyag · ‎07-22-2011

i would suggest using wireshark to connect locally(without ASA in between) and check the exact port numbers the FTP is using and then allowing those ports in ASA.

burann4242 · ‎07-22-2011

I know the port numbers, they are in my first post. Just cant get the access rules and/or inspections to work so the FTPS session work.

Jitendra Siyag · ‎07-22-2011

That it what i am trying to say that if it is not working after specifying after access rules then it may be using some other port also.

can you paste the access rules and nat statement here? and it would be better if you can just put a wireshark at the client end to see at what phase the connection stops exactly?