FTPS and SFTP are one of the most common problems that we face today with the ASA firewall running, practically, any version. The most common issue is that in SFTP (FTP over SSH), both control and data channel are encrypted using port 22, on FTPS (FTP over SSL) it uses port 990 for the control channel (this information is encrypted) and the data channel goes on plain text.
The ASA firewall has issues in regards of handling this type of connections. Normally when regular FTP is used, the ASA sees the payload on the FTP control channel and does the proper NAT translations when using passive mode, when using active, he sees the IP addresses and let the data connection to be established.
On the other hand, since on the secure methods (FTPS and SFTP), the control channel is encrypted, the ASA has not way to determine the ports being used .
FTP server working on Active mode, located on the inside and the clients on the outside. In this scenario, the host on the outside would make a connection on port 990 to the inside, if the FTP server has an static one to one, everything is going to work fine, if the server has a port forwarding, you need to make sure that is the same IP address that it uses to make outbound connection to the internet, here is why:
Once the control channel has been established (990/22), the server on active mode is going to set the data channel (normally on port 20). Besides telling the client that the port is 20, he will send a SYN packet to the client on that port. If the SYN on port 20 gets to the client with a different IP, the connection is never going to be completed, what you are going to see is only SYN requests and the ftp session will hang.
Bottom line, make sure that the IP that ftp server uses is the same for outbound and inbound ftp connections.
Client on the inside and server on the outside, Server on Passive mode.
Same thing, client initiates the connection on port 990/22, the server agrees and waits for the client to set the port command. Client initiates the connection to the outside world in that n+1 port to the server and everything is going to work fine.
This may sound a little bit complicated, what you need to understand is that the firewall cannot open the Data channel because the Control channel is encrypted. Make sure that the data channel is seeing by the firewall as a regular connection.
Hi, I have an FTD 2110 device which I upgraded last week to patch code 18.104.22.168 from 6.3.0.After the upgrade, the device was good with no health warnings, but on checking it later I see the warning for Disk Usage: "Frequent drain of Connection Events....
Hi,Can i debug dot1x in switch to see whts happening or using wireshark on laptop?it seems sh auth br in switching showing AZ(authorized) then followed by 5-15 sec UZ (unauthorized) 24211Found Endpoint in Internal Endpoints IDStore 22037Authenti...
Simple one, I'm configuring a vASA for the first time ever !! and not really a cisco Engineer to conduct a quick bit of Lab work between a Cisco and Juniper SRX ( vpn issues ) .I can create a interface on the inside of the ASA and ping it, but if I c...
Hi Experts,We are facing some issue on what I think is caused by fragmentation.After doing a packet capture on the network, we noticed that we are receiving multiple Dup ACKs, Re-transmissions and TLS Ignored Unknown Record。Multiple applications are not w...