Firewall – Cisco ASA inspection of FTPS (FTP explicit SSL/TLS)

cisco-asafirewallftps

I'm trying to configure my Cisco ASA 5505 to open a passive port on behalf of my FTP server. Have anyone tried this when running the FTP connection encrypted (TLS/SSL) ?

The FTP client log reports that everyting is working until the point the client issues PASV (and gets a correct command back) and then issues a "LIST" command.

I guess this means that the ASA have no way to inspect the encrypted traffic ?

Any enlightment to this matter would be very appricated !

Best Answer

Configuring FTPS (either implicit or explicit) to work behind a NAT firewall can be a headache.

You are correct in that the ASA cannot inspect SSL/TLS encrypted traffic. The breakdown occurs when the data channel is being built. Whether in active or passive mode, L3 (IP) and L4 (port) information regarding the data channel are transferred in the FTP/FTPS control channel. With traditional FTP and the ASA's FTP inspection, this data is "inspected" and "fixed" to match the public/outside/whatever interface IP and the ASA dynamically adds a permit ACL to allow the data channel traffic.

With SSL/TLS (as part of FTPS) the ASA cannot see the necessary control channel details to "inspect" or "fix" what is necessary to make the data channel work. As such, you will need to have some added smarts/capability built into the FTPS server application you are using.

Capabilities include the following:

The ability to set the port range sent in the control channel to be used for the data channel as used by passive mode (PASV) clients.
The ability to set the IP address sent in the control channel to be used for the data channel as used by passive mode (PASV) clients.
Lastly, in your firewall, permitting (via nat/static and ACL) the range configured in number 1.

In a Windows environment, Cerberus is a great FTP/FTPS/SFTP server that has the necessary features and functions.

For example:

Say your FTPS server has an inside IP 192.168.1.10 and outside IP 1.1.1.2.

Configure your FTPS server software to use TCP/35000 to TCP/35999 as a range for passive clients.
Configure your FTPS server software to send 1.1.1.2 as the IP for passive clients. Note: Cerberus auto-detects your WAN IP and uses it automatically. Cerberus is also configured by default to not perform this fix for local IP network clients (as it would break them). Cerberus is smart. :)
Configure your ASA to NAT (using static NAT or static PAT range) for TCP/35000 to TCP/35999 (plus TCP/21, TCP/990, etc.)
Configure your ASA to ACL permit TCP/35000 to TCP/35999 to the the FTPS server (plus TCP/21, TCP/990, etc.)

Now when clients connect in from the WAN using implicit or explicit FTPS, the FTPS server will send back the correct WAN IP address (not its private address) and a TCP port in a known range to be used in the data channel. Having specifically NAT'd and ACL permitted the TCP ports, ASA inspection/fixup is not required.

Interesting (lengthy reference on FTP/FTPS/SFTP through firewalls): FTP Through Firewalls

Related Solutions

Cisco ASA: will 7.2 -> 8.2 upgrade break ipsec-ra functionality

The IPSEC access using the Cisco VPN Client will still work after the upgrade.
To be able to use AnyConnect you will need to add some extra configuration.

Cisco ASA – Preventing SMTP Traffic Rewriting on Cisco ASA

When we first set our 5510 up, we had a similar problem and I figured out it was easiest just to disable SMTP packet inspection entirely.

Take a look at what you have for:

yourfirewall# show running-config policy-map

If there's anything about esmtp in there, you can disable it with:

yourfirewall# configure terminal
yourfirewall(config)# policy-map global_policy
yourfirewall(config-pmap)# class inspection_default
yourfirewall(config-pmap-c)# no inspect esmtp

I believe you can do the same in ASDM, by looking in Firewall -> Objects -> Inspect Maps -> ESMTP

Best Answer

Related Solutions

Cisco ASA: will 7.2 -> 8.2 upgrade break ipsec-ra functionality

Cisco ASA – Preventing SMTP Traffic Rewriting on Cisco ASA

Related Topic