Solved

Server 2008 FTPS through Cisco PIX firewall

Posted on 2009-05-05
11
591 Views
Last Modified: 2013-11-29
We have a Cisco PIX 515e and we would like to use FTPS in Windows Server 2008.  So far we have had difficulty getting traffic through our firewall.  We opened a number of ports mentioned in Microsoft documents but we still cannot establish a connection.  
0
Comment
Question by:Jurinnov
  • 6
  • 5
11 Comments
 
LVL 30

Expert Comment

by:Britt Thompson
ID: 24306511
FTPS is port 22 by default. The same port as SSH...try porting ssh where you want to connect and give that whirl.
0
 
LVL 30

Expert Comment

by:Britt Thompson
ID: 24306524
Actually, is it working internally without going through the firewall?
0
 

Author Comment

by:Jurinnov
ID: 24306532
Yes.  it works internally.  
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 

Author Comment

by:Jurinnov
ID: 24307066
Port 22 did not work.  Here are my client settings that work on the inside.  

Port 21
Connection: AUTH SSL
SSL Options: SSL Listings and SSL Transfer
Windows SSL.  

I am using Core FTP Lite.  
0
 
LVL 30

Expert Comment

by:Britt Thompson
ID: 24307764
I'm sorry, I'm getting SFTP mixed with FTPS. Typically, ports 989 and 990 need to be opened for FTPS UP/DOWN data transfers but you may have to tell the client to not use such a wide range of ports

Here's the Cisco answer for how to get this to work through the PIX:

http://supportwiki.cisco.com/ViewWiki/index.php/How_to_configure_the_PIX_Firewall_to_support_FTP_over_SSL
0
 

Author Comment

by:Jurinnov
ID: 24316232
I configured the FTP Firewall support settings to the external IP address with a port range of 4000-4005 in IIS7. I never get past the SSL negotiation from the outside. I assume that I need to change the NAT or ACL on the firewall but I am not sure what the setting should be. Here is my firewall NAT and ACL with the internal IP changed to [INTERNAL IP] and outside IP to [OUTSIDE IP]

static (inside,outside) [OUTSIDE IP] [INTERNAL IP] netmask 255.255.255.255

access-list outside_in extended permit tcp any host [OUTSIDE IP] object-group ftp log
access-list outside_in extended permit tcp any host [OUTSIDE IP] object-group ftps log

I put the ports I wanted to open in the ftps service group. This service group contains 4000-4005, and 989-991. The ftp service group has 20 and 21.

My FTP connection looks like this:

connect socket #3728 to [OUTSIDE IP], port 21
220-Microsoft FTP Service
220-Microsoft FTP Service
AUTH SSL
234 AUTH command ok.  Expecting TLS Negotiation.  
Error reading secure data from the server
No response from server...
0
 

Author Comment

by:Jurinnov
ID: 24316453
The inside one that works looks like this:

Started on Wednesday May 06, 2009 at 11:55:AM
Connect socket #440 to [INSIDE IP], port 21...
220-Microsoft FTP Service
220-Microsoft FTP Service
AUTH SSL
234 AUTH command ok. Expecting TLS Negotiation.
SSLv3 (RC4/SHA), 128 bits
USER eav
331 Password required for [USERNAME]. PASS **********
230-Welcome to the Jungle
230 User logged in.
SYST
215 Windows_NT
Keep alive off...
PWD
257 "/" is current directory.
PBSZ 0
200 PBSZ command successful.
PROT P
200 PROT command successful.
PORT 192,168,4,12,69,87
200 PORT command successful.
LIST
0
 
LVL 30

Expert Comment

by:Britt Thompson
ID: 24320400
If you have an account with Cisco I'd definitely call. Their support is phenomenal and they probably have a solution article for this and can help you immediately. If you've already tried that, disregard. I'm still snooping.
0
 

Author Comment

by:Jurinnov
ID: 24324240
We do not have an account with Cisco.  
0
 
LVL 30

Expert Comment

by:Britt Thompson
ID: 24325408
Is your ASA still under warranty? If it is, all you have to do is call and they'll ask for the serial number to verify warranty status.

Also, with FTPS the server has to speak back to the client to accept the connection. Are you blocking outbound traffic on any of these ports?

Here's another article I came across. http://learn.iis.net/page.aspx/309/configuring-ftp-firewall-settings/
0
 

Accepted Solution

by:
Jurinnov earned 0 total points
ID: 25294534
We never got it working.  We are trying a linux based FTP.  
0

Featured Post

Secure Your Active Directory - April 20, 2017

Active Directory plays a critical role in your company’s IT infrastructure and keeping it secure in today’s hacker-infested world is a must.
Microsoft published 300+ pages of guidance, but who has the time, money, and resources to implement? Register now to find an easier way.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A safe way to clean winsxs folder from your windows server 2008 R2 editions
Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (http://www.concertocloud.com/about/in-the-news/2017/02/0…
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

685 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question