06-28-2011 08:20 AM - edited 03-11-2019 01:52 PM
Hi everybody, I have this need from a customer. They have multiple VPN L2L connections with multiple offices (the configuration is a mess) but the issue is: One of the Sites needs to use SFTP to transfer file from that branch office to the main office. They use a software like FileZilla acting like the SFTP. When they transfer the files using FTP the tunnel goes up and the transfer is successfull. But when they try to use SFTP not even the authentication happens, and the VPN tunnel does not go up.
I've been reading the post about SFTP and some say it works some other said it does not. I read at Cisco documentation and they say it is not possible becasuse the SSH encryption. Please somebody clarify if the use of SFTP is possible through a PIX firewall or an ASA firewall and what consideration should I have.
Regards
Jose
06-28-2011 10:12 AM
Hi Jose,
Over the tunnel I dont think there is any problem, you see, the issue comes when opening the data channel in order to pass the file, since the inpsection on the ASA (That works looking at the payload on port 21) does not see what port is going to be used nor the IPs involed, he wont open the data channel.
But on a VPN tunnel (under normal circunstances) you have permit ip any any for the interesting traffic, meaning all IP traffic is going to pass across it.
What I am trying to say is that, for traffic flowing from inside to outside with no VPN on it, it should failed (as documented), over the tunnel, I dont see why would it failed.
I am starting thinking that the problem can be related to the interesting traffic define on the Tunnel itself.
Hope it helps.
Mike
06-28-2011 10:28 AM
Hi Mykol, But, when I try to do a FTP transfer the tunnel works... that's why I though the problem is the SSH encryption. As you said the interesting traffic is allowed by a "permit any" rule. So I cannot figure out what else could be failing but the 'S' at SFTP. Regards, Jose
06-28-2011 10:38 AM
On the pix, would you please do the following?
packet-tracer input inside tcp
Cheers
Mike
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide