Server 2008 FTPS through Cisco PIX firewall

We have a Cisco PIX 515e and we would like to use FTPS in Windows Server 2008.  So far we have had difficulty getting traffic through our firewall.  We opened a number of ports mentioned in Microsoft documents but we still cannot establish a connection.  
JurinnovAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
JurinnovConnect With a Mentor Author Commented:
We never got it working.  We are trying a linux based FTP.  
0
 
Britt ThompsonSr. Systems EngineerCommented:
FTPS is port 22 by default. The same port as SSH...try porting ssh where you want to connect and give that whirl.
0
 
Britt ThompsonSr. Systems EngineerCommented:
Actually, is it working internally without going through the firewall?
0
What Kind of Coding Program is Right for You?

There are many ways to learn to code these days. From coding bootcamps like Flatiron School to online courses to totally free beginner resources. The best way to learn to code depends on many factors, but the most important one is you. See what course is best for you.

 
JurinnovAuthor Commented:
Yes.  it works internally.  
0
 
JurinnovAuthor Commented:
Port 22 did not work.  Here are my client settings that work on the inside.  

Port 21
Connection: AUTH SSL
SSL Options: SSL Listings and SSL Transfer
Windows SSL.  

I am using Core FTP Lite.  
0
 
Britt ThompsonSr. Systems EngineerCommented:
I'm sorry, I'm getting SFTP mixed with FTPS. Typically, ports 989 and 990 need to be opened for FTPS UP/DOWN data transfers but you may have to tell the client to not use such a wide range of ports

Here's the Cisco answer for how to get this to work through the PIX:

http://supportwiki.cisco.com/ViewWiki/index.php/How_to_configure_the_PIX_Firewall_to_support_FTP_over_SSL
0
 
JurinnovAuthor Commented:
I configured the FTP Firewall support settings to the external IP address with a port range of 4000-4005 in IIS7. I never get past the SSL negotiation from the outside. I assume that I need to change the NAT or ACL on the firewall but I am not sure what the setting should be. Here is my firewall NAT and ACL with the internal IP changed to [INTERNAL IP] and outside IP to [OUTSIDE IP]

static (inside,outside) [OUTSIDE IP] [INTERNAL IP] netmask 255.255.255.255

access-list outside_in extended permit tcp any host [OUTSIDE IP] object-group ftp log
access-list outside_in extended permit tcp any host [OUTSIDE IP] object-group ftps log

I put the ports I wanted to open in the ftps service group. This service group contains 4000-4005, and 989-991. The ftp service group has 20 and 21.

My FTP connection looks like this:

connect socket #3728 to [OUTSIDE IP], port 21
220-Microsoft FTP Service
220-Microsoft FTP Service
AUTH SSL
234 AUTH command ok.  Expecting TLS Negotiation.  
Error reading secure data from the server
No response from server...
0
 
JurinnovAuthor Commented:
The inside one that works looks like this:

Started on Wednesday May 06, 2009 at 11:55:AM
Connect socket #440 to [INSIDE IP], port 21...
220-Microsoft FTP Service
220-Microsoft FTP Service
AUTH SSL
234 AUTH command ok. Expecting TLS Negotiation.
SSLv3 (RC4/SHA), 128 bits
USER eav
331 Password required for [USERNAME]. PASS **********
230-Welcome to the Jungle
230 User logged in.
SYST
215 Windows_NT
Keep alive off...
PWD
257 "/" is current directory.
PBSZ 0
200 PBSZ command successful.
PROT P
200 PROT command successful.
PORT 192,168,4,12,69,87
200 PORT command successful.
LIST
0
 
Britt ThompsonSr. Systems EngineerCommented:
If you have an account with Cisco I'd definitely call. Their support is phenomenal and they probably have a solution article for this and can help you immediately. If you've already tried that, disregard. I'm still snooping.
0
 
JurinnovAuthor Commented:
We do not have an account with Cisco.  
0
 
Britt ThompsonSr. Systems EngineerCommented:
Is your ASA still under warranty? If it is, all you have to do is call and they'll ask for the serial number to verify warranty status.

Also, with FTPS the server has to speak back to the client to accept the connection. Are you blocking outbound traffic on any of these ports?

Here's another article I came across. http://learn.iis.net/page.aspx/309/configuring-ftp-firewall-settings/
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.