Windows Server 2008 FTPS through Cisco PIX 515e

evanderburg

We have a Cisco PIX 515e and we would like to use FTPS in Windows Server 2008. So far we have had difficulty getting traffic through our firewall. We opened a number of ports mentioned in Microsoft documents but we still cannot establish a connection. Any thoughts?

Claymoore

Have you created a rule on the Windows firewall to allow for the FTP traffic?
How to Configure Windows Firewall for a Passive Mode FTP Server
Overview of the Windows Server 2008 Firewall with Advanced Security Part 2: Inbound and Outbound Firewall Rules

You may also need to make a change to IE
How to configure Internet Explorer to use both the FTP PORT mode and the FTP PASV mode in the Windows Server 2003 Family

BradH

I would do the following

Test via a local computer if you can est a connect to the Windows Server via FTP.
This would discount if the issue is either a cisco related issue or a Windows related issue.

Then see if you have any drop logs on the PIX for port 21 (FTP) You should be able to find if you enable some verbose logging while attempting the connection.

Doing these two things should limit the troubleshooting to finding out where your stoppage is.

If you can't get the Windows server to est a FTP session, work at the firewall until it can, then re-setup your original connection again and test again.

evanderburg

Yes. we are able to connect to it from a host behind the firewall. That is why I am trying to troubleshoot the firewall. Here are my client settings that work on the inside.

Port 21
Connection: AUTH SSL
SSL Options: SSL Listings and SSL Transfer
Windows SSL.

I am using Core FTP Lite.

I try it on the outside and I get "cannot establish connection"

rwwest7

Any NAT/Port forwarding issues?

evanderburg

I am assuming so but I do not know how to get around it. I configured the FTP Firewall support settings to the external IP address with a port range of 4000-4005 in IIS7. I never get past the SSL negotiation from the outside. I assume that I need to change the NAT or ACL on the firewall but I am not sure what the setting should be. Here is my firewall NAT and ACL with the internal IP changed to [INTERNAL IP] and outside IP to [OUTSIDE IP]

static (inside,outside) [OUTSIDE IP] [INTERNAL IP] netmask 255.255.255.255

access-list outside_in extended permit tcp any host [OUTSIDE IP] object-group ftp log
access-list outside_in extended permit tcp any host [OUTSIDE IP] object-group ftps log

I put the ports I wanted to open in the ftps service group. This service group contains 4000-4005, and 989-991. The ftp service group has 20 and 21.

evanderburg

My outside FTP connection that fails looks like this:

connect socket #3728 to [OUTSIDE IP], port 21
220-Microsoft FTP Service
220-Microsoft FTP Service
AUTH SSL
234 AUTH command ok. Expecting TLS Negotiation.
Error reading secure data from the server
No response from server...

The inside one that works looks like this:

Started on Wednesday May 06, 2009 at 11:55:AM
Connect socket #440 to [INSIDE IP], port 21...
220-Microsoft FTP Service
220-Microsoft FTP Service
AUTH SSL
234 AUTH command ok. Expecting TLS Negotiation.
SSLv3 (RC4/SHA), 128 bits
USER [USERNAME]
331 Password required for [USERNAME]. PASS **********
230-Welcome to the Jungle
230 User logged in.
SYST
215 Windows_NT
Keep alive off...
PWD
257 "/" is current directory.
PBSZ 0
200 PBSZ command successful.
PROT P
200 PROT command successful.
PORT 192,168,4,12,69,87
200 PORT command successful.
LIST

blargoe

What FTP Client are you using?

evanderburg

Core FTP Lite

bertieb

Interesting problem. FTPS is a PITA to get to work over certain firewalls, most modern ones drop the connection as they can't inspect the ftp-control stream. (Pretty much like trying to get standard FTP to work over some firewalls I suppose). However, you seem to be on the right track reading what you've done.

Have a read through the following, and tweak the client and server side settings for the SSL encryption options at various stages to see what does and doesn't work. (He is using the same ftp client as you have too).

Robert McMurray's Blog [MSFT]

I've also linked a few docs I found on my travels that you have probably seen but may help others in the future:
How to configure the PIX Firewall to support FTP over SSL - Ciscowiki

Using FTP Over SSL : FTP 7 for IIS 7.0 : Publishing Content to Web Sites : The Official Microsoft IIS Site

Alan Engel

I just solved a similar problem by disabling IPv6 on the server. The PIX was giving SYN timeouts in response to IExplorer traffic. It also would not allow pinging even though other W2K servers and XP computers on the network could ping through.

How do I disable IPv6 in Windows Vista and Windows Server 2008? - Windows Live

Disable IPv6 in Windows Server 20008 Full & Core installation | Windows Reference

msteinhilber

Did you enter in the external IP address of your firewall in IIS so the passive connections don't try to connect to the internal IP?