Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Server 2008 FTPS through Cisco PIX firewall

Posted on 2009-05-05
11
Medium Priority
?
607 Views
Last Modified: 2013-11-29
We have a Cisco PIX 515e and we would like to use FTPS in Windows Server 2008.  So far we have had difficulty getting traffic through our firewall.  We opened a number of ports mentioned in Microsoft documents but we still cannot establish a connection.  
0
Comment
Question by:Jurinnov
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
11 Comments
 
LVL 30

Expert Comment

by:Britt Thompson
ID: 24306511
FTPS is port 22 by default. The same port as SSH...try porting ssh where you want to connect and give that whirl.
0
 
LVL 30

Expert Comment

by:Britt Thompson
ID: 24306524
Actually, is it working internally without going through the firewall?
0
 

Author Comment

by:Jurinnov
ID: 24306532
Yes.  it works internally.  
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 

Author Comment

by:Jurinnov
ID: 24307066
Port 22 did not work.  Here are my client settings that work on the inside.  

Port 21
Connection: AUTH SSL
SSL Options: SSL Listings and SSL Transfer
Windows SSL.  

I am using Core FTP Lite.  
0
 
LVL 30

Expert Comment

by:Britt Thompson
ID: 24307764
I'm sorry, I'm getting SFTP mixed with FTPS. Typically, ports 989 and 990 need to be opened for FTPS UP/DOWN data transfers but you may have to tell the client to not use such a wide range of ports

Here's the Cisco answer for how to get this to work through the PIX:

http://supportwiki.cisco.com/ViewWiki/index.php/How_to_configure_the_PIX_Firewall_to_support_FTP_over_SSL
0
 

Author Comment

by:Jurinnov
ID: 24316232
I configured the FTP Firewall support settings to the external IP address with a port range of 4000-4005 in IIS7. I never get past the SSL negotiation from the outside. I assume that I need to change the NAT or ACL on the firewall but I am not sure what the setting should be. Here is my firewall NAT and ACL with the internal IP changed to [INTERNAL IP] and outside IP to [OUTSIDE IP]

static (inside,outside) [OUTSIDE IP] [INTERNAL IP] netmask 255.255.255.255

access-list outside_in extended permit tcp any host [OUTSIDE IP] object-group ftp log
access-list outside_in extended permit tcp any host [OUTSIDE IP] object-group ftps log

I put the ports I wanted to open in the ftps service group. This service group contains 4000-4005, and 989-991. The ftp service group has 20 and 21.

My FTP connection looks like this:

connect socket #3728 to [OUTSIDE IP], port 21
220-Microsoft FTP Service
220-Microsoft FTP Service
AUTH SSL
234 AUTH command ok.  Expecting TLS Negotiation.  
Error reading secure data from the server
No response from server...
0
 

Author Comment

by:Jurinnov
ID: 24316453
The inside one that works looks like this:

Started on Wednesday May 06, 2009 at 11:55:AM
Connect socket #440 to [INSIDE IP], port 21...
220-Microsoft FTP Service
220-Microsoft FTP Service
AUTH SSL
234 AUTH command ok. Expecting TLS Negotiation.
SSLv3 (RC4/SHA), 128 bits
USER eav
331 Password required for [USERNAME]. PASS **********
230-Welcome to the Jungle
230 User logged in.
SYST
215 Windows_NT
Keep alive off...
PWD
257 "/" is current directory.
PBSZ 0
200 PBSZ command successful.
PROT P
200 PROT command successful.
PORT 192,168,4,12,69,87
200 PORT command successful.
LIST
0
 
LVL 30

Expert Comment

by:Britt Thompson
ID: 24320400
If you have an account with Cisco I'd definitely call. Their support is phenomenal and they probably have a solution article for this and can help you immediately. If you've already tried that, disregard. I'm still snooping.
0
 

Author Comment

by:Jurinnov
ID: 24324240
We do not have an account with Cisco.  
0
 
LVL 30

Expert Comment

by:Britt Thompson
ID: 24325408
Is your ASA still under warranty? If it is, all you have to do is call and they'll ask for the serial number to verify warranty status.

Also, with FTPS the server has to speak back to the client to accept the connection. Are you blocking outbound traffic on any of these ports?

Here's another article I came across. http://learn.iis.net/page.aspx/309/configuring-ftp-firewall-settings/
0
 

Accepted Solution

by:
Jurinnov earned 0 total points
ID: 25294534
We never got it working.  We are trying a linux based FTP.  
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
You deserve ‘straight talk’ from your cloud provider about your risk, your costs, security, uptime and the processes that are in place to protect your mission-critical applications.
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
Suggested Courses

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question