Solved

Server 2008 FTPS through Cisco PIX firewall

Posted on 2009-05-05
11
578 Views
Last Modified: 2013-11-29
We have a Cisco PIX 515e and we would like to use FTPS in Windows Server 2008.  So far we have had difficulty getting traffic through our firewall.  We opened a number of ports mentioned in Microsoft documents but we still cannot establish a connection.  
0
Comment
Question by:Jurinnov
  • 6
  • 5
11 Comments
 
LVL 30

Expert Comment

by:renazonse
ID: 24306511
FTPS is port 22 by default. The same port as SSH...try porting ssh where you want to connect and give that whirl.
0
 
LVL 30

Expert Comment

by:renazonse
ID: 24306524
Actually, is it working internally without going through the firewall?
0
 

Author Comment

by:Jurinnov
ID: 24306532
Yes.  it works internally.  
0
 

Author Comment

by:Jurinnov
ID: 24307066
Port 22 did not work.  Here are my client settings that work on the inside.  

Port 21
Connection: AUTH SSL
SSL Options: SSL Listings and SSL Transfer
Windows SSL.  

I am using Core FTP Lite.  
0
 
LVL 30

Expert Comment

by:renazonse
ID: 24307764
I'm sorry, I'm getting SFTP mixed with FTPS. Typically, ports 989 and 990 need to be opened for FTPS UP/DOWN data transfers but you may have to tell the client to not use such a wide range of ports

Here's the Cisco answer for how to get this to work through the PIX:

http://supportwiki.cisco.com/ViewWiki/index.php/How_to_configure_the_PIX_Firewall_to_support_FTP_over_SSL
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:Jurinnov
ID: 24316232
I configured the FTP Firewall support settings to the external IP address with a port range of 4000-4005 in IIS7. I never get past the SSL negotiation from the outside. I assume that I need to change the NAT or ACL on the firewall but I am not sure what the setting should be. Here is my firewall NAT and ACL with the internal IP changed to [INTERNAL IP] and outside IP to [OUTSIDE IP]

static (inside,outside) [OUTSIDE IP] [INTERNAL IP] netmask 255.255.255.255

access-list outside_in extended permit tcp any host [OUTSIDE IP] object-group ftp log
access-list outside_in extended permit tcp any host [OUTSIDE IP] object-group ftps log

I put the ports I wanted to open in the ftps service group. This service group contains 4000-4005, and 989-991. The ftp service group has 20 and 21.

My FTP connection looks like this:

connect socket #3728 to [OUTSIDE IP], port 21
220-Microsoft FTP Service
220-Microsoft FTP Service
AUTH SSL
234 AUTH command ok.  Expecting TLS Negotiation.  
Error reading secure data from the server
No response from server...
0
 

Author Comment

by:Jurinnov
ID: 24316453
The inside one that works looks like this:

Started on Wednesday May 06, 2009 at 11:55:AM
Connect socket #440 to [INSIDE IP], port 21...
220-Microsoft FTP Service
220-Microsoft FTP Service
AUTH SSL
234 AUTH command ok. Expecting TLS Negotiation.
SSLv3 (RC4/SHA), 128 bits
USER eav
331 Password required for [USERNAME]. PASS **********
230-Welcome to the Jungle
230 User logged in.
SYST
215 Windows_NT
Keep alive off...
PWD
257 "/" is current directory.
PBSZ 0
200 PBSZ command successful.
PROT P
200 PROT command successful.
PORT 192,168,4,12,69,87
200 PORT command successful.
LIST
0
 
LVL 30

Expert Comment

by:renazonse
ID: 24320400
If you have an account with Cisco I'd definitely call. Their support is phenomenal and they probably have a solution article for this and can help you immediately. If you've already tried that, disregard. I'm still snooping.
0
 

Author Comment

by:Jurinnov
ID: 24324240
We do not have an account with Cisco.  
0
 
LVL 30

Expert Comment

by:renazonse
ID: 24325408
Is your ASA still under warranty? If it is, all you have to do is call and they'll ask for the serial number to verify warranty status.

Also, with FTPS the server has to speak back to the client to accept the connection. Are you blocking outbound traffic on any of these ports?

Here's another article I came across. http://learn.iis.net/page.aspx/309/configuring-ftp-firewall-settings/
0
 

Accepted Solution

by:
Jurinnov earned 0 total points
ID: 25294534
We never got it working.  We are trying a linux based FTP.  
0

Featured Post

Don't lose your head updating email signatures!

Do your end users still have the wrong email signature? Do email signature updates bore you or fill you with a sense of dread? You can make this a whole lot easier on yourself by trusting an Exclaimer email signature management solution. Over 50 million users do...so should you!

Join & Write a Comment

The article explains the protocols and technology which is involved when two computers on different TCP/IP networks communicate with each other. In the diagram, a router is used to segregate two networks. The networks are 192.168.1.0/24 and 192…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now