Re: config tips for supporting FTP over SSL/TLS?

tim.metzinger · ‎05-05-2005

We have a host on the INSIDE of our Pix 525 firewall that needs to initiate an FTPS session to a host on the outside, to upload and download files securely.

There are no access-lists on the inside interface, but I assume I'll have to open up one or both ports 989 and 990 for the outside host to be able to respond to the inside host.

Is there a better way to do that besides just opening the ports? (LOL don't suggest SFTP - for some reason the external host won't support it).

I assume that if I open up the ports and they use the implicit mode then leaving the normal FTP fixup in place will be ok.

ehirsel · ‎05-05-2005

The biggest issue is that the port negotiation will take place over an encrypted session, so the firewall dyanmic-port opening routine will not work for FTPS sessions, thus the normal ftpo fixup won't work.

Here's one idea: Can you place the cisco vpn client code on the inside host, and configure the pix and client to connect to it via ipsec. Run the ftps session over the ipsec session. You will create a new ip pool for the vpn clients (you can have just one ip address or two (for troubleshooting) in the pool). Then on the outside interface, just allow tcp traffic from the ftps server to the client's ip assigned by the vpn connection. This way if there are no connected clients, the pix will drop the traffic.

Let me know if this idea is workable.

mostiguy · ‎05-06-2005

There is no real standard for encrypted ftp. If the product you are using requires dynamic ports, you are toast, and will need to use a vpn.