Hi,
I have opened port 22 in my firewall and am trying to connect to an SFTP server. When I connect (using WinSCP3) and sniff with ethereal, I can see three syn packets coming out and one response from the server that is RST-ACK. I am not sure what is going on. All the client says is "Network error: Connection Timed Out"
Thanks for any suggestions.
You must have an error in your config, you should correct the error.
-Wil
ambiguous there
With the amount of information that was given to help resolve, this seemed like a reasonable answer. Okay, I'll try to be more helpful :)
Is there a proper static in place to go with the SSH rule and do you see log entries that point toward the problem? Is this working while not traversing the PIX? Possibly a sanitized portion of the config can be posted.
-Wil
I just ran in to this at a customers last night. Took hours of troubleshooting and I cannot believe the fix also have no idea how it could possibly related to SFTP. I verified this in a lab environment, same exact results. Very simply, remove the "inspect skinny" from your inspection policy, hopefully you are not running cisco voice thru the ASA and need that inspect.
-Brian
Really - Per the following it can't be done.
Q. Is SFTP supported through the PIX?
A. No. In a typical FTP connection, either the client or the server must tell the other what port to use for data transfer. The PIX is able to inspect this conversation and open that port. However, with SFTP this conversation is encrypted and the PIX is unable to determine what ports to open and the SFTP connection ultimately fails.
One possible workaround in this situation is to use an SFTP client that supports the use of a "clear data channel." With this option enabled, the PIX should be able to determine what port needs to be opened.
That is for clientless SFTP which atleast around here is very rarely used.
-Brian
Why would this occur at all? Isn't SFTP a single port service? Doesn't it simply use port 22? If that is the case, if port 22 was open why would the pix stop it at all? If it was encrypted it wouldn't see what kind of traffic it is and would see it going on port 22 and let it through if that was opened???
There are several versions of enhanced FTP out there and usually confused in any possible way. The three most common variants are SFTP, FTPS, and Secure-FTP.
SFTP and Secure-FTP use the normal FTP Protocol (and Port incl. Port allocation schema), but optionally encrypt the command channel and/or the data channels.
SFTP uses Stunnel(aka SSL) for each type of FTP-communication channel. Secure-FTP is braindead and broken.
FTPS is an SSH application similar to SCP. FTPS is much more featured than SCP.
Only FTPS can pass the PIX.
In order to pass SFTP or Secure-FTP through a PIX you need: - Set passive mode on the client. - Create an access-list matching all TCP traffic to the server. - Use this access-list to inhibit any inspection. - PAT all data to this server.
If you like to use active mode, you need a 1:1 NAT for your inside addresses.
Have fun.
I did not realize there were so many different flavors. Well, the company I am trying to connect to told me it was an SFTP connection, however, there server is named ftps. What client should I use to connect to a FTPS connection? I am currently using WinSCP but getting that network error. I see 3 SYN packets headed to the IP of the server on port 22 but I only get a RST-ACK back from the server. Perhaps they are using one of the other flavors while I am trying to connect to FTPS on port 22? Maybe that is why the server responds with a RST-ACK? But if that was the case I would assume that the server would not respond at all.
THanks for your help.
Ask them.
This are not flavors, this are completely different protocols. You are right, they use an other protocol.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.