cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1510
Views
0
Helpful
1
Replies

SFTP through Cisco ASA

soliver2005
Level 1
Level 1

Hi,

We are trying to get SFTP working from a server (x.x.128.13) within our network to another companies server (x.x.114.132) which we connect to via the Internet.  From our server the connection hits our ASA Firewall where we have rules in place to allow the connection on a customised port of 29052. The firewall then NAT's the Source IP of our server to a Public IP (x.x.36.60), thus making it routable on the Internet.

We have done some packet captures on our ingress (inside) interface and egress (internet) interface and we can see that the 3 way TCP handshake is successful between the two servers but then all further communication fails.

We see no further packets on our ingress interface but we do see further packets on the egress side.  What we see is a "RST+ACK" from the destination server but this is never passed on to the server within our network.  We also see our ack packet from the 3 way handshake being sent back to the destination server but again this only appears for the egress capture, and is not being sent by the server.  Both of these packets repeat about 6 times and then we see nothing further.

I have attached the packet capture.

At the far end the 3rd party don't see any of our repeated ACK's and when the connection works normally through a different infrastructure/firewall we see the 4th packet as a normal packet.  The initial payload of this RST+ACK is the same payload we see in the 4th packet when the connection works.

Any help with this would be appreciated.

Regards

Stuart

1 Reply 1

Julio Carvajal
VIP Alumni
VIP Alumni

Hello Soliver,

So basically you are using a customized program that will allow you to run SFTP over port 29052? Right?

Either way it's just a single channel so it should not be any problem regarding the firewall not being able to identify the data channel ( as there is only one for both the control/data communication)

Is there a way you could share those captures on wireshark.....

Also do the following capture

cap asp type asp-drop all circular-buffer

Then try to connect and share

show cap asp | include x.x.114.132

This will show us if the firewall is dropping some traffic based on it's code ( Acellerated Security Path algorithm)

Regards,

Julio Carvajal


Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Review Cisco Networking for a $25 gift card