01-21-2013 08:26 AM - edited 03-11-2019 05:50 PM
Hi,
We are trying to get SFTP working from a server (x.x.128.13) within our network to another companies server (x.x.114.132) which we connect to via the Internet. From our server the connection hits our ASA Firewall where we have rules in place to allow the connection on a customised port of 29052. The firewall then NAT's the Source IP of our server to a Public IP (x.x.36.60), thus making it routable on the Internet.
We have done some packet captures on our ingress (inside) interface and egress (internet) interface and we can see that the 3 way TCP handshake is successful between the two servers but then all further communication fails.
We see no further packets on our ingress interface but we do see further packets on the egress side. What we see is a "RST+ACK" from the destination server but this is never passed on to the server within our network. We also see our ack packet from the 3 way handshake being sent back to the destination server but again this only appears for the egress capture, and is not being sent by the server. Both of these packets repeat about 6 times and then we see nothing further.
I have attached the packet capture.
At the far end the 3rd party don't see any of our repeated ACK's and when the connection works normally through a different infrastructure/firewall we see the 4th packet as a normal packet. The initial payload of this RST+ACK is the same payload we see in the 4th packet when the connection works.
Any help with this would be appreciated.
Regards
Stuart
01-21-2013 10:40 AM
Hello Soliver,
So basically you are using a customized program that will allow you to run SFTP over port 29052? Right?
Either way it's just a single channel so it should not be any problem regarding the firewall not being able to identify the data channel ( as there is only one for both the control/data communication)
Is there a way you could share those captures on wireshark.....
Also do the following capture
cap asp type asp-drop all circular-buffer
Then try to connect and share
show cap asp | include x.x.114.132
This will show us if the firewall is dropping some traffic based on it's code ( Acellerated Security Path algorithm)
Regards,
Julio Carvajal
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide