Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
722
Views
0
Helpful
3
Replies

Secure FTP through PIX and VPN L2L

jose cortes
Level 1
Level 1

‎06-28-2011 08:20 AM - edited ‎03-11-2019 01:52 PM

Hi everybody,  I have this need from a customer. They have multiple VPN L2L connections with multiple offices (the configuration is a mess) but the issue is:  One of the Sites needs to use SFTP to transfer file from that branch office to the main office. They use a software like FileZilla acting like the SFTP.  When they transfer the files using FTP the tunnel goes up and the transfer is successfull. But when they try to use SFTP not even the authentication happens, and the VPN tunnel does not go up.

I've been reading the post about SFTP and some say it works some other said it does not. I read at Cisco documentation and they say it is not possible becasuse the SSH encryption. Please somebody clarify if the use of SFTP is possible through a PIX firewall or an ASA firewall and what consideration should I have.

Regards

Jose

Labels:
0 Helpful
3 Replies 3

Maykol Rojas
Cisco Employee
Cisco Employee

‎06-28-2011 10:12 AM

Hi Jose,

Over the tunnel I dont think there is any problem, you see, the issue comes when opening the data channel in order to pass the file, since the inpsection on the ASA (That works looking at the payload on port 21)  does not see what port is going to be used nor the IPs involed, he wont open the data channel.

But on a VPN tunnel (under normal circunstances) you have permit ip any any for the interesting traffic, meaning all IP traffic is going to pass across it.

What I am trying to say is that, for traffic flowing from inside to outside with no VPN on it, it should failed (as documented), over the tunnel, I dont see why would it failed.

I am starting thinking that the problem can be related to the interesting traffic define on the Tunnel itself.

Hope it helps.

Mike

Mike
0 Helpful

jose cortes
Level 1
Level 1
In response to Maykol Rojas

‎06-28-2011 10:28 AM

Hi Mykol,  But, when I try to do a FTP transfer the tunnel works... that's why I though the problem is the SSH encryption. As you said the interesting traffic is allowed by a "permit any" rule. So I cannot figure out what else could be failing but the 'S' at SFTP.  Regards,  Jose

0 Helpful

Maykol Rojas
Cisco Employee
Cisco Employee
In response to jose cortes

‎06-28-2011 10:38 AM

On the pix, would you please do the following?

packet-tracer input inside tcp 1025 22

Cheers

Mike

Mike
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card