Windows Server 2008 FTPS through Cisco PIX 515e
evanderburg
Member Posts: 229 ■■■□□□□□□□
We have a Cisco PIX 515e and we would like to use FTPS in Windows Server 2008. So far we have had difficulty getting traffic through our firewall. We opened a number of ports mentioned in Microsoft documents but we still cannot establish a connection. Any thoughts?
"You can never know everything and part of what you know is always wrong. Perhaps even the most important part. A portion of wisdom lies in knowing that. A portion of courage lies in going on anyway. " - Lan, Winter's Heart by Robert Jordan
Comments
-
Claymoore Member Posts: 1,637Have you created a rule on the Windows firewall to allow for the FTP traffic?
How to Configure Windows Firewall for a Passive Mode FTP Server
Overview of the Windows Server 2008 Firewall with Advanced Security Part 2: Inbound and Outbound Firewall Rules
You may also need to make a change to IE
How to configure Internet Explorer to use both the FTP PORT mode and the FTP PASV mode in the Windows Server 2003 Family -
BradH Member Posts: 160I would do the following
Test via a local computer if you can est a connect to the Windows Server via FTP.
This would discount if the issue is either a cisco related issue or a Windows related issue.
Then see if you have any drop logs on the PIX for port 21 (FTP) You should be able to find if you enable some verbose logging while attempting the connection.
Doing these two things should limit the troubleshooting to finding out where your stoppage is.
If you can't get the Windows server to est a FTP session, work at the firewall until it can, then re-setup your original connection again and test again.EA Path - 70-643 - Passed - 70-680 - Passed - 70-647 - To Complete -
evanderburg Member Posts: 229 ■■■□□□□□□□Yes. we are able to connect to it from a host behind the firewall. That is why I am trying to troubleshoot the firewall. Here are my client settings that work on the inside.
Port 21
Connection: AUTH SSL
SSL Options: SSL Listings and SSL Transfer
Windows SSL.
I am using Core FTP Lite.
I try it on the outside and I get "cannot establish connection""You can never know everything and part of what you know is always wrong. Perhaps even the most important part. A portion of wisdom lies in knowing that. A portion of courage lies in going on anyway. " - Lan, Winter's Heart by Robert Jordan -
evanderburg Member Posts: 229 ■■■□□□□□□□I am assuming so but I do not know how to get around it. I configured the FTP Firewall support settings to the external IP address with a port range of 4000-4005 in IIS7. I never get past the SSL negotiation from the outside. I assume that I need to change the NAT or ACL on the firewall but I am not sure what the setting should be. Here is my firewall NAT and ACL with the internal IP changed to [INTERNAL IP] and outside IP to [OUTSIDE IP]
static (inside,outside) [OUTSIDE IP] [INTERNAL IP] netmask 255.255.255.255
access-list outside_in extended permit tcp any host [OUTSIDE IP] object-group ftp log
access-list outside_in extended permit tcp any host [OUTSIDE IP] object-group ftps log
I put the ports I wanted to open in the ftps service group. This service group contains 4000-4005, and 989-991. The ftp service group has 20 and 21."You can never know everything and part of what you know is always wrong. Perhaps even the most important part. A portion of wisdom lies in knowing that. A portion of courage lies in going on anyway. " - Lan, Winter's Heart by Robert Jordan -
evanderburg Member Posts: 229 ■■■□□□□□□□My outside FTP connection that fails looks like this:
connect socket #3728 to [OUTSIDE IP], port 21
220-Microsoft FTP Service
220-Microsoft FTP Service
AUTH SSL
234 AUTH command ok. Expecting TLS Negotiation.
Error reading secure data from the server
No response from server...
The inside one that works looks like this:
Started on Wednesday May 06, 2009 at 11:55:AM
Connect socket #440 to [INSIDE IP], port 21...
220-Microsoft FTP Service
220-Microsoft FTP Service
AUTH SSL
234 AUTH command ok. Expecting TLS Negotiation.
SSLv3 (RC4/SHA), 128 bits
USER [USERNAME]
331 Password required for [USERNAME]. PASS **********
230-Welcome to the Jungle
230 User logged in.
SYST
215 Windows_NT
Keep alive off...
PWD
257 "/" is current directory.
PBSZ 0
200 PBSZ command successful.
PROT P
200 PROT command successful.
PORT 192,168,4,12,69,87
200 PORT command successful.
LIST"You can never know everything and part of what you know is always wrong. Perhaps even the most important part. A portion of wisdom lies in knowing that. A portion of courage lies in going on anyway. " - Lan, Winter's Heart by Robert Jordan -
blargoe Member Posts: 4,174 ■■■■■■■■■□What FTP Client are you using?IT guy since 12/00
Recent: 11/2019 - RHCSA (RHEL 7); 2/2019 - Updated VCP to 6.5 (just a few days before VMware discontinued the re-cert policy...)
Working on: RHCE/Ansible
Future: Probably continued Red Hat Immersion, Possibly VCAP Design, or maybe a completely different path. Depends on job demands... -
evanderburg Member Posts: 229 ■■■□□□□□□□Core FTP Lite"You can never know everything and part of what you know is always wrong. Perhaps even the most important part. A portion of wisdom lies in knowing that. A portion of courage lies in going on anyway. " - Lan, Winter's Heart by Robert Jordan
-
bertieb Member Posts: 1,031 ■■■■■■□□□□Interesting problem. FTPS is a PITA to get to work over certain firewalls, most modern ones drop the connection as they can't inspect the ftp-control stream. (Pretty much like trying to get standard FTP to work over some firewalls I suppose). However, you seem to be on the right track reading what you've done.
Have a read through the following, and tweak the client and server side settings for the SSL encryption options at various stages to see what does and doesn't work. (He is using the same ftp client as you have too).
Robert McMurray's Blog [MSFT]
I've also linked a few docs I found on my travels that you have probably seen but may help others in the future:
How to configure the PIX Firewall to support FTP over SSL - Ciscowiki
Using FTP Over SSL : FTP 7 for IIS 7.0 : Publishing Content to Web Sites : The Official Microsoft IIS SiteThe trouble with quotes on the internet is that you can never tell if they are genuine - Abraham Lincoln -
Alan Engel Member Posts: 1 ■□□□□□□□□□I just solved a similar problem by disabling IPv6 on the server. The PIX was giving SYN timeouts in response to IExplorer traffic. It also would not allow pinging even though other W2K servers and XP computers on the network could ping through.
How do I disable IPv6 in Windows Vista and Windows Server 2008? - Windows Live
Disable IPv6 in Windows Server 20008 Full & Core installation | Windows Reference -
msteinhilber Member Posts: 1,480 ■■■■■■■■□□Did you enter in the external IP address of your firewall in IIS so the passive connections don't try to connect to the internal IP?