cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

ASA SFTP AND FTPS

25384
Views
25
Helpful
3
Comments

Introduction to Concepts:

FTPS and SFTP are one of the most common problems that we face today with the ASA firewall running, practically, any version. The most common issue is that in SFTP (FTP over SSH), both control and data channel are encrypted using port 22, on FTPS (FTP over SSL) it uses port 990 for the control channel (this information is encrypted) and the data channel goes on plain text.

The ASA firewall has issues in regards of handling this type of connections. Normally when regular FTP is used, the ASA sees the payload on the FTP control channel and does the proper NAT translations when  using passive mode, when using active, he sees the IP addresses and let the data connection to be established.

On the other hand, since on the secure methods (FTPS and SFTP), the control channel is encrypted, the ASA has not way to determine the ports being used .

Scenarios 

Scenario 1

FTP server working on Active mode, located on the inside and the clients on the outside. In this scenario, the host on the outside would make a connection on port 990 to the inside, if the FTP server has an static one to one, everything is going to work fine, if the server has a port forwarding, you need to make sure that is the same IP address that it uses to make outbound connection to the internet, here is why:

Once the control channel has been established (990/22), the server on active mode is going to set the data channel (normally on port 20). Besides telling the client that the port is 20, he will send a SYN packet to the client on that port. If the SYN on port 20 gets to the client with a different IP, the connection is never going to be completed, what you are going to see is only SYN requests and the ftp session will hang.

Bottom line, make sure that the IP that ftp server uses is the same for outbound and inbound ftp connections.

Scenario 2

Client on the inside and server on the outside, Server on Passive mode.

Same thing, client initiates the connection on port 990/22, the server agrees and waits for the client to set the port command. Client initiates the connection to the outside world in that n+1 port to the server and everything is going to work fine.

This may sound a little bit complicated, what you need to understand is that the firewall cannot open the Data channel because the Control channel is encrypted. Make sure that the data channel is seeing by the firewall as a regular connection.

Comments

.

Enthusiast

Maykol,

Can you provide some config examples for ASA's?  TAC told me no to both SFTP and FTPS in the past but this seems to indicate it may be possible given the right situation.

Cisco Employee

Hello Brian,

Thats the Idea, the firewall will need just a regular translation to get to the server. The fact that the protocol does/does not work depends on the type of FTP request the client is doing.

If the request is on passive and the server is on the Inside, then that connection is not going to work because, as you may already know the client will initiate the connection. This port being used on that connection is random, and since the connection on the FTP session was done encrypted, the ASA has no idea whats the port (thats the main idea) Now, using the same server and client, but trying to do the connection using Active FTP will work, why? Because the server will initiate both connections and since the traffic from inside to outside is allowed, the packets will flow through with no problems.

Let me know if you need anything.

Mike Rojas