sftp using ssh and pix 515

here is what i have done so far i have a client that wants to send us an xml feed via sftp over ssh port 22.

I installed  sftp server software on my windows 2003 server that sits in the dmz of my network.  That server has 4 internal ip's.  I created an A record for my sftp hostname.  
I created the following rules.
permit outside in any tcp to dmz 30.30.30.73 ssh
created a static translation for the internal 30.30.30.73 to my public a record for the sftp hostname
nothing working so far.

Okay... the access-list should list the public IP address and not the internal IP address as it gets processed before NAT.

so my rule should be

permit outside in any tcp to dmz public ip ssh?

Exactly.

when i put the rule in correct me if im wrong, but will with the public ip will i need to use all 255's in the subnet mask?

If you're just forwarding the single address, then 255.255.255.255 is the correct mask for the static statement.

my pix ask if i want to add the host/network.  
I say yes and it ask about a static route?  it says the following:  The pix does not know how to route packets for this host/network.  Please specify the next hop gateway.  If your pix relies on a dynamic routing protocol like RIP to learn routing for this host/netowrk, please leave the following option unchecked and go to the next page.  Im not sure what i do for this?

It sounds like your configuration is a bit incomplete if the PIX doesn't know about its own IP address ranges.  Can you post a scrubbed copy (no usernames, passwords or other sensitive data) of your configuration and the version of the PIX software you're running?

yes give me about 30 minutes to an hour and i will post it.

pix version 6.3(3)

fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 30.30.30.50 fyitv06
name 30.30.30.51 fyitv06-1
name 30.30.30.52 fyitv
name 30.30.30.54 fyitv06-2
name 30.30.30.55 fyitv02
name 30.30.30.56 fyitv-2
name 30.30.30.57 fyitv-3
name 30.30.30.60 fyitv-1
name 30.30.30.65 fyitv06-3
name 30.30.30.70 fyitv07
name 30.30.30.75 fyitv08
name 30.30.30.85 fyicorp
name 30.30.30.80 fyi_ftp
name 30.30.30.71 fyiclient
name 30.30.30.96 fyi-orb2
name 30.30.30.72 vzftp
name 30.30.30.151 EGS_FTP
name 30.30.30.150 EGS_CORP
name 64.18.0.0 Postini
name 166.130.113.228 mmasse
access-list 101 permit ip 10.0.2.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 110 permit ip 10.0.2.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list outsidein permit tcp any host 70.85.6.39 eq www
access-list outsidein permit tcp any host 70.85.6.38 eq ftp
access-list outsidein permit tcp any host 70.85.6.39 eq smtp
access-list outsidein permit tcp any host 70.85.6.39 eq pop3
access-list outsidein permit tcp any host 70.85.6.41 eq www
access-list outsidein permit tcp any host 70.85.6.42 eq www
access-list outsidein permit icmp any any
access-list outsidein permit tcp any host 70.85.6.45 eq https
access-list outsidein permit tcp any host 70.85.6.46 eq www
access-list outsidein permit tcp any host 70.85.6.41 eq 8000
access-list outsidein permit tcp any host 70.85.6.43 eq www
access-list outsidein permit tcp any host 70.85.6.43 eq pop3
access-list outsidein permit tcp any host 70.85.6.43 eq 8383
access-list outsidein permit tcp any host 70.85.6.43 eq ldap
access-list outsidein permit tcp any host 70.85.6.40 eq ftp
access-list outsidein permit tcp any host 67.18.70.224 eq www
access-list outsidein permit tcp any host 67.18.70.225 eq www
access-list outsidein permit tcp any host 67.18.70.226 eq www
access-list outsidein permit tcp any host 67.18.70.227 eq ftp
access-list outsidein permit tcp any host 69.93.108.104 eq www
access-list outsidein remark EGS_CORP/
access-list outsidein permit tcp any host 69.93.108.104 eq smtp
access-list outsidein remark EGS_CORP/
access-list outsidein permit tcp any host 69.93.108.104 eq pop3
access-list outsidein remark EGS_CORP/
access-list outsidein permit tcp any host 69.93.108.104 eq 8383
access-list outsidein remark EGS_CORP/
access-list outsidein permit tcp any host 69.93.108.104 eq ldap
access-list outsidein remark EGS_FTP
access-list outsidein permit tcp any host 69.93.108.105 eq ftp
access-list outsidein permit tcp any host 69.93.108.106 eq www
access-list outsidein permit tcp host 69.199.30.18 host 70.85.6.43 eq smtp
access-list outsidein permit tcp host 166.130.112.127 host 70.85.6.43 eq smtp
access-list outsidein permit tcp Postini 255.255.240.0 host 70.85.6.43 eq smtp
access-list outsidein permit tcp host mmasse host 70.85.6.43 eq smtp
access-list outsidein remark SFTP
access-list outsidein permit tcp any host 67.18.70.228 eq ssh
access-list outsidein permit tcp any host 67.18.70.228 eq ftp
access-list outsidein remark FTPSSL
access-list outsidein permit tcp any host 67.18.70.228 eq 990
access-list outsidein permit tcp any host 67.18.70.228 range 5000 5100
access-list fromDMZ permit icmp any any
access-list fromDMZ permit tcp host fyitv06 10.0.2.0 255.255.255.0 eq 1433
access-list fromDMZ permit udp host fyitv06 10.0.2.0 255.255.255.0 eq 1434
access-list fromDMZ permit tcp 30.30.30.0 255.255.255.0 any eq www
access-list fromDMZ permit tcp 30.30.30.0 255.255.255.0 any eq domain
access-list fromDMZ permit udp 30.30.30.0 255.255.255.0 any eq domain
access-list fromDMZ permit tcp 30.30.30.0 255.255.255.0 any eq smtp
access-list fromDMZ permit tcp host fyitv06-2 10.0.2.0 255.255.255.0 eq 1433
access-list fromDMZ permit udp host fyitv06-2 10.0.2.0 255.255.255.0 eq 1434
access-list fromDMZ permit tcp host fyitv-2 10.0.2.0 255.255.255.0 eq 1433
access-list fromDMZ permit udp host fyitv-2 10.0.2.0 255.255.255.0 eq 1434
access-list fromDMZ permit tcp host fyitv-3 10.0.2.0 255.255.255.0 eq 1433
access-list fromDMZ permit udp host fyitv-3 10.0.2.0 255.255.255.0 eq 1434
access-list fromDMZ permit tcp 30.30.30.0 255.255.255.0 any eq ftp
access-list fromDMZ permit tcp host fyitv07 10.0.2.0 255.255.255.0 eq 1433
access-list fromDMZ permit udp host fyitv07 10.0.2.0 255.255.255.0 eq 1434
access-list fromDMZ permit tcp host fyiclient 10.0.2.0 255.255.255.0 eq 1433
access-list fromDMZ permit udp host fyiclient 10.0.2.0 255.255.255.0 eq 1434
access-list fromDMZ permit tcp host fyi-orb2 10.0.2.0 255.255.255.0 eq 1433
access-list fromDMZ permit udp host fyi-orb2 10.0.2.0 255.255.255.0 eq 1434
access-list capture permit ip host fyitv06-3 host 72.16.229.91
access-list capture permit ip host 72.16.229.91 host fyitv06-3
pager lines 24
logging on
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 70.85.6.36 255.255.255.240
ip address inside 10.0.2.1 255.255.255.0
ip address dmz 30.30.30.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool 192.168.2.1-192.168.2.50
pdm location 10.0.5.0 255.255.255.128 outside
pdm location 192.168.2.0 255.255.255.0 outside
pdm location 192.168.5.0 255.255.255.0 outside
pdm location 192.168.2.0 255.255.255.0 inside
pdm location 192.168.2.0 255.255.255.192 outside
pdm location 10.0.0.0 255.0.0.0 inside
pdm location 10.0.2.17 255.255.255.255 inside
pdm location fyitv06 255.255.255.255 dmz
pdm location 30.30.30.0 255.255.255.0 inside
pdm location 10.0.2.11 255.255.255.255 inside
pdm location fyitv06-1 255.255.255.255 dmz
pdm location 70.85.6.37 255.255.255.255 outside
pdm location fyitv 255.255.255.255 dmz
pdm location 30.30.30.53 255.255.255.255 dmz
pdm location fyitv06-2 255.255.255.255 dmz
pdm location fyitv02 255.255.255.255 dmz
pdm location fyitv-2 255.255.255.255 dmz
pdm location fyitv-3 255.255.255.255 dmz
pdm location 65.115.138.0 255.255.255.0 outside
pdm location 65.115.138.0 255.255.255.224 outside
pdm location 69.15.64.59 255.255.255.255 outside
pdm location 66.207.120.227 255.255.255.255 outside
pdm location fyitv06-3 255.255.255.255 dmz
pdm location fyitv07 255.255.255.255 dmz
pdm location fyi_ftp 255.255.255.255 dmz
pdm location fyitv08 255.255.255.255 dmz
pdm location fyicorp 255.255.255.255 dmz
pdm location 30.30.30.82 255.255.255.255 dmz
pdm location fyiclient 255.255.255.255 dmz
pdm location 30.30.30.91 255.255.255.255 dmz
pdm location 30.30.30.95 255.255.255.255 dmz
pdm location fyi-orb2 255.255.255.255 dmz
pdm location 30.30.30.97 255.255.255.255 dmz
pdm location xxxxx 255.255.255.255 dmz
pdm location EGS_CORP 255.255.255.255 dmz
pdm location EGS_FTP 255.255.255.255 dmz
pdm location 30.30.30.152 255.255.255.255 dmz
pdm location Postini 255.255.240.0 outside
pdm location 72.16.229.91 255.255.255.255 outside
pdm location 166.130.112.127 255.255.255.255 outside
pdm location mmasse 255.255.255.255 outside
pdm location 69.199.30.18 255.255.255.255 outside
pdm location 30.30.30.73 255.255.255.255 dmz
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 10 70.85.6.37
nat (inside) 0 access-list 101
nat (inside) 10 10.0.2.0 255.255.255.0 0 0
static (inside,dmz) 10.0.2.0 10.0.2.0 netmask 255.255.255.0 0 0
static (dmz,outside) 70.85.6.39 fyitv06 netmask 255.255.255.255 0 0
static (dmz,outside) 70.85.6.38 fyitv06-1 netmask 255.255.255.255 0 0
static (dmz,outside) 70.85.6.42 fyitv06-2 netmask 255.255.255.255 0 0
static (dmz,outside) 70.85.6.45 fyitv06-3 netmask 255.255.255.255 0 0
static (dmz,outside) 70.85.6.46 fyitv07 netmask 255.255.255.255 0 0
static (dmz,outside) 70.85.6.41 fyitv-3 netmask 255.255.255.255 0 0
static (dmz,outside) 70.85.6.43 fyicorp dns netmask 255.255.255.255 0 0
static (dmz,outside) 70.85.6.40 fyi_ftp dns netmask 255.255.255.255 0 0
static (dmz,outside) 67.18.70.224 fyiclient dns netmask 255.255.255.255 0 0
static (dmz,outside) 67.18.70.225 fyi-orb2 dns netmask 255.255.255.255 0 0
static (dmz,outside) 67.18.70.226 30.30.30.97 dns netmask 255.255.255.255 0 0
static (dmz,outside) 67.18.70.227 xxxxx dns netmask 255.255.255.255 0 0
static (dmz,outside) 69.93.108.105 EGS_FTP dns netmask 255.255.255.255 0 0
static (dmz,outside) 69.93.108.104 EGS_CORP dns netmask 255.255.255.255 0 0
static (dmz,outside) 69.93.108.106 30.30.30.152 dns netmask 255.255.255.255 0 0
static (dmz,outside) 67.18.70.228 30.30.30.73 dns netmask 255.255.255.255 0 0
access-group outsidein in interface outside
access-group fromDMZ in interface dmz
route outside 0.0.0.0 0.0.0.0 70.85.6.33 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 10.0.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp keepalive 60 60
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup FYI address-pool vpnpool
vpngroup FYI dns-server 10.0.2.1
vpngroup FYI split-tunnel 110
vpngroup FYI idle-time 1800

vpngroup VPN_GROUP_NAME split-tunnel 110
vpngroup VPN_GROUP_NAME idle-time 1800
telnet 10.0.2.17 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 10.0.2.10-10.0.2.100 inside
dhcpd dns 10.0.2.1 216.234.234.30
dhcpd lease 3600
dhcpd ping_timeout 750

Try this on for size:

access-list fromDMZ permit tcp host 30.30.30.73 eq ssh any

Your NAT is full IP NAT, so there's no problem there.  Your outsidein access list is permitting the inbound SSH/SFTP traffic, so that's all good.  Your fromDMZ access list isn't permitting reply traffic to return though.  The above access list entry should correct that for you.

so should my rule be this?

what does the rule look like from the source host/network to the destination host network?

is it    permit source dmz 30.30.30.73 ssh to destination source outside interface 0.0.0.0 mask 0.0.0.0 any

You're permitting traffic to enter the DMZ interface sourced from 30.30.30.73 port 22/tcp to any external IP address on any port.  I'm not sure what you're referring to when you're talking about rules outside of the context of the access list.

forgive me as the firewall is not my specialty but in the gui of the pix im permitting the access from the source network which is the dmz from 30.30.30.73 on tcp port 22 to the destination source.  The destination source should be the outside interface?  or Inside or DMZ  I guess that is what im asking kind of like reversing the orignal permit rule right?  Or i could be a bit confused?  Sorry.  I really appricate you sticking with me on this throughout the day.

Okay, I'm clued in now.  I haven't touched a PIX GUI in a number of years, so I don't really have a point of reference there.  Essentially, you're allowing replies to the traffic to travel from the DMZ to the outside, so you're permitting based on the source address rather than the destination.  So, taking a guess at the terminology that the GUI is using, your initial source will be 30.30.30.73 22/tcp and your destination source will be any address and port on the outside interface...  so that covers it.

i put the rule in and tried to connect to using winscp with no luck

If you do a "netstat -an" on the Windows machine at 30.30.30.73, do you get the following anywhere in the output?

Proto  Local Address          Foreign Address        State
TCP    0.0.0.0:22             0.0.0.0:0              LISTENING

                                              

1:
2:

yeah i do see that when i run the command

i do get an network error that says connection refused

Are you able to connect to 22/tcp on 30.30.30.73 from another machine on the DMZ?

The interesting thing that we're seeing here is that the PIX is configured to drop any traffic that doesn't meet its admission requirements.  So, if we opens up a port that is not permitted by the PIX (28/tcp, for example) then the PIX drops it with no notification to the client, producing an effect like the following:

$ telnet 67.18.70.228 28
Trying 67.18.70.228...
(which eventually times out)

If we try connecting to the SSH port (22/tcp) which *has* been permitted by the PIX, then we get this:

$ telnet 67.18.70.228 22
Trying 67.18.70.228...
telnet: connect to address 67.18.70.228: Connection refused
telnet: Unable to connect to remote host

In this situation *something* along the way has sent a TCP RST back to the client.  The PIX isn't configured to do this, so the best assumption is that it's reaching the Windows machine at 30.30.30.73 and the Windows box is closing the session.  Is there a separate separate firewall running on the Windows box?  Is the SFTP server configured to only permit connections from certain IP addresses?

I think we're getting close to getting to the bottom of the problem, but I'm inclined to think that we need to look beyond the PIX at this point.

i will be going to the office in just a bit to work on this.  what is funny is that i have port 21 open to the ip and when i try and use that port it fails as well.

no there is no other firewall im using sysax sftp server software on the windows 2003 server

When you get to the office, let me know if you can connect to 21/tcp and 22/tcp from another host on the DMZ.  This is looking pretty strange.

ok im setup working from home for the time being so we can test a few things.  

ok so from another  dmz server i can telnet to 30.30.30.73 port 22 and it responds with ssh 2.0 sysaxssh 1.0

if i try port 21 it responds from filezilla server which i have also setup as i was testing various clients and configurations.  I read that filezilla did not support sftp ssh so i installed sysax server

Personally, I use FreeFTPd...  which supports both.

Okay, let's compare a working set of DMZ entries with what we have.  Your POP3 service is working just fine:

name 30.30.30.150 EGS_CORP
access-list outsidein permit tcp any host 69.93.108.104 eq pop3
static (dmz,outside) 69.93.108.104 EGS_CORP dns netmask 255.255.255.255 0 0

If I telnet to 69.93.108.104 on 110/tcp, the POP3 server answers perfectly.

Now we look at the DMZ entry for FTP/SFTP and here's what we have:

access-list outsidein permit tcp any host 67.18.70.228 eq ssh
access-list outsidein permit tcp any host 67.18.70.228 eq ftp
static (dmz,outside) 67.18.70.228 30.30.30.73 dns netmask 255.255.255.255 0 0

Other than the aliasing, the configurations are identical.  When I attempt to connect via telnet to 21/tcp, it completes the connection but immediately closes it again.  When I attempt to connect via telnet to 22/tcp, it actively refuses the connection.

Are you sure you don't have any sort of software firewall running on Windows or IP restrictions on FileZilla and the SSH server?

i have on the software sysax the server listing on 30.30.30.73 only, i also have 30.30.30.73 set and turned on for PASV transfers.

I ran a TCP stack fingerprint on 67.18.70.228 22/tcp and it claims that the device responding is Microsoft Windows Server 2003 SP1, so it's definitely the Windows server that's refusing connections and not the PIX.

ok i looked and the servers firewall is off

Wait a minute...  PASV transfers?  SFTP doesn't have a concept of active and passive transfers.  Are you sure that's not an FTPS server?

i turned them off just in case just now

I just took a look at the Sysax product description.  Are you running the free version?  If so, that's going to limit our troubleshooting as it only allows a single connection and will drop me if you're connected as well.  Just as a test, let's turn off Sysax and give FreeFTPd a try.  I know it allows multiple connections and is a simple setup.

ok downloaded freeftpd do you want to walk me through the settings for freeftpd

Default settings should be fine for testing.

it wants me generate a certificate before i can start the server

That's fine.  Normal for SSH-related protocols.

ok created key and the sftp server is running

Running on port 22/tcp?

yes listing on 30.30.30.73 port 22

Okay, it's not application-related.  Windows is still refusing the connection at the stack level.

not what else i can do with the server to sllow the connection as windows firewalll is off.

Now we're starting to get a bit out of my realm.  I specialize in the Cisco hardware, but we only have one Windows machine here and it's only used for occasional testing.  My Windows troubleshooting skills are beyond rusty.

Taking a slightly different tack, are you able to connect to the Internet from the 30.30.30.73 server?  If so, what IP does it register as?  Try http://www.whatismyip.com as a test.

Interesting note.  If I connect to 67.18.70.227 on 21/tcp instead of 67.18.70.228, I get the following:

220 Hello, I'm freeFTPd 1.0

Are you using freeFTPd elsewhere or have we got a possible mixup in destinations?

70.85.6.46

let me look at my netsolutions dns information .

I also turned it on for port 21 while i was setting up freeftp just in case

67.18.70.228 is the right one as i have the 67.18.70.227 setup and working for another client

Okay... is that on the same box or are you using FreeFTPd on a different machine?

should be same box however  227 should not be in use as iis is disabled on the server there is now ftp server running on that server as we speak.  Do you know how many ips you can set on the nic at a time?  Could that be the problem?

sorry i had the freeftp server listing on all ip's that is why you got that response.  I had that for the port 21 and 22.  

I don't know if there's a limit on how many IPs you can have on the NIC, but the interesting thing is that this works:

access-list outsidein permit tcp any host 67.18.70.227 eq ftp
static (dmz,outside) 67.18.70.227 x.x.x.x dns netmask 255.255.255.255 0 0

But this doesn't:

access-list outsidein permit tcp any host 67.18.70.228 eq ftp
static (dmz,outside) 67.18.70.228 30.30.30.73 dns netmask 255.255.255.255 0 0

There wouldn't be another machine using 30.30.30.73 on the DMZ, would there?  Also, can you check to see that all of the IPs on that NIC are using the correct subnet masks?  I know I'm grasping at straws here, but I'm not seeing much else at this point.

one thing i could do is change the a record ip for this hostname and use another public and see what happens.  Course i would have to modify the rule to reflect the internal private to public but that would be it.

I don't think the problem is with the public as there's no reference to any other use of that IP.  There might be a problem with the private though.

i will add another private ip to the server i will use 30.30.30.74

took a break for a while to clear my mind of this.  I added another private ip to the server 30.30.30.74
when i go to modify the permit rule to allow access from outside in to tcp any to dmz 30.30.30.73 ssh to 30.30.30.74   I am presented with some different options for NAT.  These we not present before when i put the orginal rule in.  It ask if i want to nat dynamic or static

That sounds like something you'd get out of PDM rather than the ASA itself.  If I were dealing directly with the ASA, I would say static, but I'm not quite sure what the PDM is asking.

tell you what since I really appricate your continued help i would like to do some more testing and see if it has somthing to do with the private ip.  What would be your availability today?  Im in Texas which is central time zone.  

I'm in Ontario (Eastern Time) but won't be near a computer today.  I'll try to advise from my mobile though.

Do you think changing private ips may help?

If there's a conflict, yes.

Question is on hold pending action on my part. It is not abandoned.