?
Solved

Server 2008 FTPS through Cisco PIX firewall

Posted on 2009-05-05
11
Medium Priority
?
604 Views
Last Modified: 2013-11-29
We have a Cisco PIX 515e and we would like to use FTPS in Windows Server 2008.  So far we have had difficulty getting traffic through our firewall.  We opened a number of ports mentioned in Microsoft documents but we still cannot establish a connection.  
0
Comment
Question by:Jurinnov
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
11 Comments
 
LVL 30

Expert Comment

by:Britt Thompson
ID: 24306511
FTPS is port 22 by default. The same port as SSH...try porting ssh where you want to connect and give that whirl.
0
 
LVL 30

Expert Comment

by:Britt Thompson
ID: 24306524
Actually, is it working internally without going through the firewall?
0
 

Author Comment

by:Jurinnov
ID: 24306532
Yes.  it works internally.  
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:Jurinnov
ID: 24307066
Port 22 did not work.  Here are my client settings that work on the inside.  

Port 21
Connection: AUTH SSL
SSL Options: SSL Listings and SSL Transfer
Windows SSL.  

I am using Core FTP Lite.  
0
 
LVL 30

Expert Comment

by:Britt Thompson
ID: 24307764
I'm sorry, I'm getting SFTP mixed with FTPS. Typically, ports 989 and 990 need to be opened for FTPS UP/DOWN data transfers but you may have to tell the client to not use such a wide range of ports

Here's the Cisco answer for how to get this to work through the PIX:

http://supportwiki.cisco.com/ViewWiki/index.php/How_to_configure_the_PIX_Firewall_to_support_FTP_over_SSL
0
 

Author Comment

by:Jurinnov
ID: 24316232
I configured the FTP Firewall support settings to the external IP address with a port range of 4000-4005 in IIS7. I never get past the SSL negotiation from the outside. I assume that I need to change the NAT or ACL on the firewall but I am not sure what the setting should be. Here is my firewall NAT and ACL with the internal IP changed to [INTERNAL IP] and outside IP to [OUTSIDE IP]

static (inside,outside) [OUTSIDE IP] [INTERNAL IP] netmask 255.255.255.255

access-list outside_in extended permit tcp any host [OUTSIDE IP] object-group ftp log
access-list outside_in extended permit tcp any host [OUTSIDE IP] object-group ftps log

I put the ports I wanted to open in the ftps service group. This service group contains 4000-4005, and 989-991. The ftp service group has 20 and 21.

My FTP connection looks like this:

connect socket #3728 to [OUTSIDE IP], port 21
220-Microsoft FTP Service
220-Microsoft FTP Service
AUTH SSL
234 AUTH command ok.  Expecting TLS Negotiation.  
Error reading secure data from the server
No response from server...
0
 

Author Comment

by:Jurinnov
ID: 24316453
The inside one that works looks like this:

Started on Wednesday May 06, 2009 at 11:55:AM
Connect socket #440 to [INSIDE IP], port 21...
220-Microsoft FTP Service
220-Microsoft FTP Service
AUTH SSL
234 AUTH command ok. Expecting TLS Negotiation.
SSLv3 (RC4/SHA), 128 bits
USER eav
331 Password required for [USERNAME]. PASS **********
230-Welcome to the Jungle
230 User logged in.
SYST
215 Windows_NT
Keep alive off...
PWD
257 "/" is current directory.
PBSZ 0
200 PBSZ command successful.
PROT P
200 PROT command successful.
PORT 192,168,4,12,69,87
200 PORT command successful.
LIST
0
 
LVL 30

Expert Comment

by:Britt Thompson
ID: 24320400
If you have an account with Cisco I'd definitely call. Their support is phenomenal and they probably have a solution article for this and can help you immediately. If you've already tried that, disregard. I'm still snooping.
0
 

Author Comment

by:Jurinnov
ID: 24324240
We do not have an account with Cisco.  
0
 
LVL 30

Expert Comment

by:Britt Thompson
ID: 24325408
Is your ASA still under warranty? If it is, all you have to do is call and they'll ask for the serial number to verify warranty status.

Also, with FTPS the server has to speak back to the client to accept the connection. Are you blocking outbound traffic on any of these ports?

Here's another article I came across. http://learn.iis.net/page.aspx/309/configuring-ftp-firewall-settings/
0
 

Accepted Solution

by:
Jurinnov earned 0 total points
ID: 25294534
We never got it working.  We are trying a linux based FTP.  
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Suggested Courses

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question