Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4991
Views
0
Helpful
4
Replies

Ironport S170 (7.5.0): native FTP proxy without WSA-authentication

grischast
Level 1
Level 1

‎05-14-2013 01:36 PM

Hi

I am currently testing the ftp proxy feature on our newly deployed WSA.

The WSA is in explicit forward mode only and we do not want to use any user authentication on the WSA at all.

No matter what I chose for "Authentication Format" in the ftp proxy configuration (raptor or check point) I am completely unable to establish a ftp connection via the WSA.

E.g. when I try a simple file transfer from a Cisco device:

copy ftp://anonymous@FTP-SERVER-ADDRESS:foo@bar.foo@WSA-ADDRESS/test.txt flash:

I always find in the WSA log

User anonymous@FTP-SERVER-ADDRESS login FAILED

It looks like the WSA always wants to authenticate the connection to the WSA itself first.

So please, how do one use this ftp proxy feature correctly without any authentication by the WSA?

Regards,

Grischa

Labels:
0 Helpful
4 Replies 4

kussriva
Level 1
Level 1

‎05-14-2013 10:32 PM

Hi,

You need to make sure you have the correct config on the FTP server as well on the WSA

Please go through the foll info:

If you are using FileZilla the exact FileZilla configuration will differ depending on the
authentication configuring for FTP proxy on the WSA. The FTP Proxy config on the WSA can be found
at 'Security Services' -> 'FTP Proxy Settings' ->
'Authentication Format'.

From within FileZilla, go to 'Edit' -> 'Settings' -> 'FTP' -> 'FTP
Proxy'. Click on 'Custom' to enable native ftp proxy.

Use the following settings for different types of authentication:

 Native FTP FileZilla configuration for "Check Point" authentication 

USER %u@%s@%h
PASS %p@%w <> 

 

 Native FTP FileZilla configuration for "Raptor" authentication 

USER %u@%h %s
PASS %p
ACCT %w

 

Native FTP FileZilla configuration without authentication and using
Raptor authentication

USER %u@%h <> %u
PASS %p
ACCT %p

 

Native FTP FileZilla configuration without authentication 

USER %u@%h <> 
PASS %p

So please make sure you have the correct config on the WSA as well as the FTP server.

For more information, you can go to

http://www.cisco.com/en/US/docs/security/wsa/wsa7.5/user_guide/WSA_7.5.0_UserGuide.pdf and check the section "Working with FTP Connections".

For further assistance on pre-production issues, you can open a case at http://www.cisco.com/web/partners/tools/pdihd.html

Regards,

Kush

Cisco PDI Help Desk

http://www.cisco.com/go/pdihelpdesk

0 Helpful

grischast
Level 1
Level 1
In response to kussriva

‎05-15-2013 05:16 AM

Dear Kush

I am sorry but your reply (thanks for that) is not really helpful here.

First I was not focussing on a special client like FileZilla.

I want to know how to get a native FTP transfer through the WSA as a FTP proxy.

My simplest example is a ftp transfer from a Cisco device which can just use

copy ftp://user:pass@host/path

Here one would need to encode the actual destination host within the "user:pass" section since host would be the WSA in this case.

The same problem holds for simple ftp-calls from within arbitrary scripts.

Actually with a full featured client like FileZilla there is no big problem since one can easily use a SOCKS proxy for that.

So my original question is still open. Once I can get a ftp transfer from a Cisco command line through the WSA I can see this problem solved. So any hints are still appreciated.

Regards,

Grischa

0 Helpful

kussriva
Level 1
Level 1
In response to grischast

‎05-15-2013 11:12 PM

Hi,

I apologize I misunderstood the question earlier.

Anonymous login to WSA through FTP (or any other protocol) is not supported. If you do not have authentication on, you would have to use a local username/password created on the WSA.

Regards,

Kush

0 Helpful

grischast
Level 1
Level 1
In response to kussriva

‎05-16-2013 08:16 PM

Dear Kush

I am sorry to say that but it simply does not work.

Let me explain the following exmple:

Local guest user on WSA: user FOO, pass FOOBAR, (i.e. prox_user=FOO, proxy_pass=FOOBAR)

ip address of the wsa: 10.0.0.1

ftp proxy port of wsa: 8021

public ftp server with anonymous login: 192.168.0.1, (i.e. ftp_user=anonymous, ftp_pass=bla@bla.bla, remote_host=192.168.0.1)

Now, WITHOUT the proxy you would download a file from the ftp server to a cisco device simply with

copy ftp://anonymous:bla@bla.bla@192.168.0.1/filename flash:

(this works like a charm!)

With the WSA ftp proxy configured for check point authentication I assume that the corresponding file transfer must be done by

copy ftp://anonymous@FOO@192.168.0.1:bla@bla.bla@FOOBAR@10.0.0.1:8021/filename flash:

This looks complicated but

anonymous@FOO@192.168.0.1 = ftp_user@proxy_user@remote_host

bla@bla.bla@FOOBAR = ftp_pass@proxy_pass

which is exactly what is needed for the check point authentication as described in the

WSA_7.5.0_UserGuide.pdf page 6-7.

So actually I would expect this to work, but the authentication at the WSA fails and its' ftpd-log simply states

User anonymous@FOO@192.168.0.1 login FAILED

So please, how do I use the ftp proxy correctly? Please keep in mind that there is no network authentication enabled on the wsa, we can set up only local users here.

(And by the way I have absolutely no idea how the ftp transfer would be done with the wsa configured for raptor authentication. Usually the simple ftp clients all use user:pass authentication. I have never seen an additional "account" field here.)

Regards,

Grischa

0 Helpful
Customers Also Viewed These Support Documents