1. Home
  2. Cisco Systems
  3. Encrypted FTP through a ASA

Encrypted FTP through a ASA

I have an internal FTP server on 192.168.1.2. It is configurated to use SSL. It works fine on the internal local network but not from the outside. My passive port range is: 2048 --> 3000

What am I missing in my configuration?

ASA Version 7.2(2) ! terminal width 120 hostname ASA-xxx domain-name xxx.local enable password CfJxxxxxxxnP.UdE encrypted names ! interface Vlan2 nameif outside security-level 0 ip address 2xx.2xx.x2.10 255.255.255.240 ! interface Vlan7 nameif inside security-level 100 ip address 192.168.1.1 255.255.255.0 ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 switchport access vlan 2 ! interface Ethernet0/2 switchport access vlan 7 ! interface Ethernet0/3 switchport access vlan 7 ! interface Ethernet0/4 switchport access vlan 7 ! interface Ethernet0/5 switchport access vlan 7 ! interface Ethernet0/6 switchport access vlan 7 ! interface Ethernet0/7 switchport access vlan 7 ! passwd Xejxxxxxxt2wxqfff encrypted ftp mode passive clock timezone CEST 1 clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00 dns server-group DefaultDNS domain-name xxx.local access-list allow_inbound remark **** access-list allow_inbound extended permit tcp any interface outside eq ftp access-list allow_inbound extended permit tcp any interface outside range 2048 3000 access-list allow_inbound extended permit tcp any interface outside eq ftp-data access-list map_inbound extended permit tcp host 192.168.1.2 range 2048

3000 any pager lines 24 logging asdm informational mtu outside 1500 mtu inside 1500 icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-522.bin no asdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 1 0.0.0.0 0.0.0.0 static (inside,outside) tcp interface ftp-data 192.168.1.2 ftp-data netmask 255.255.255.255 static (inside,outside) tcp interface ftp 192.168.1.2 ftp netmask 255.255.255.255 static (inside,outside) interface access-list map_inbound access-group allow_inbound in interface outside route outside 0.0.0.0 0.0.0.0 2xx.2xx.x2.1 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout uauth 0:05:00 absolute http server enable http 87.xx.xx.154 255.255.255.255 outside http 2x3.xx.xx.2 255.255.255.255 outside http 192.168.1.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart telnet timeout 60 ssh 2x3.xx.xx.2 255.255.255.255 outside ssh 8x.xx.xx.154 255.255.255.255 outside ssh 192.168.1.0 255.255.255.0 inside ssh timeout 60 console timeout 60

! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ftp ! service-policy global_policy global prompt hostname context Cryptochecksum:fe43660859e5ab99916a90adcd45fe50 : end

Reply to
M
Loading thread data ...

Nothing probably, it simply can't work (unless the NAT router performs a nasty man-in-the-middle attack on the SSL connection).

An FTP server accepting a passive connection will open a TCP listener port and tell the FTP client the IP address and port number. If the FTP server is behind a NAT router this can't work because it will tell the FTP client its internal IP address and local port number. The NAT router must therefore understand the FTP protocol, create a NAT mapping and rewrite the IP address and port number. That NAT mapping will allow the FTP client to actually connect to the FTP server.

In your setup the FTP connection is encrypted. The NAT router can therefore not inspect it and not rewrite the IP address and port number. The FTP client will therefore try to connect to 192.168.1.2 which won't work.

Kind regards

Reply to
Matthias Scheler

the better approach would be to have a vpn depending on your business, users to choose which one and then have ftp traffic encrypted through this vpn and it gets decrypted on your ASA. From where it would be inspected and allowed for users from outside.

When you have ASA and can have most of the features configured on it why do you want to run ftp over ssl?

Reply to
ciscosec

Even easier: sftp

Regards

fw

Reply to
Frank Winkler

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.