«

Hi,

I have opened port 22 in my firewall and am trying to connect to an
SFTP server. When I connect (using WinSCP3) and sniff with ethereal, I
can see three syn packets coming out and one response from the server
that is RST-ACK. I am not sure what is going on. All the client says
is "Network error: Connection Timed Out"

Thanks for any suggestions.

K.J. 44 wrote:
> Hi,
>
> I have opened port 22 in my firewall and am trying to connect to an
> SFTP server. When I connect (using WinSCP3) and sniff with ethereal, I
> can see three syn packets coming out and one response from the server
> that is RST-ACK. I am not sure what is going on. All the client says
> is "Network error: Connection Timed Out"
>
> Thanks for any suggestions.
>

You must have an error in your config, you should correct the error.

-Wil

Wil Schultz wrote:
> K.J. 44 wrote:
>> Hi,
>>
>> I have opened port 22 in my firewall and am trying to connect to an
>> SFTP server. When I connect (using WinSCP3) and sniff with ethereal, I
>> can see three syn packets coming out and one response from the server
>> that is RST-ACK. I am not sure what is going on. All the client says
>> is "Network error: Connection Timed Out"
>>
>> Thanks for any suggestions.
>>
>
> You must have an error in your config, you should correct the error.
>
> -Wil
>
ambiguous there

Doc wrote:
> Wil Schultz wrote:
>> K.J. 44 wrote:
>>> Hi,
>>>
>>> I have opened port 22 in my firewall and am trying to connect to an
>>> SFTP server. When I connect (using WinSCP3) and sniff with ethereal, I
>>> can see three syn packets coming out and one response from the server
>>> that is RST-ACK. I am not sure what is going on. All the client says
>>> is "Network error: Connection Timed Out"
>>>
>>> Thanks for any suggestions.
>>>
>>
>> You must have an error in your config, you should correct the error.
>>
>> -Wil
>>
> ambiguous there

With the amount of information that was given to help resolve, this
seemed like a reasonable answer. Okay, I'll try to be more helpful

Is there a proper static in place to go with the SSH rule and do you see
log entries that point toward the problem? Is this working while not
traversing the PIX? Possibly a sanitized portion of the config can be
posted.

-Wil

"Doc" <> wrote in message
news:KYPnh.9286$ t...
> Wil Schultz wrote:
>> K.J. 44 wrote:
>>> Hi,
>>>
>>> I have opened port 22 in my firewall and am trying to connect to an
>>> SFTP server. When I connect (using WinSCP3) and sniff with ethereal, I
>>> can see three syn packets coming out and one response from the server
>>> that is RST-ACK. I am not sure what is going on. All the client says
>>> is "Network error: Connection Timed Out"
>>>
>>> Thanks for any suggestions.
>>>
>>
>> You must have an error in your config, you should correct the error.
>>
>> -Wil
>>
> ambiguous there

I just ran in to this at a customers last night. Took hours of
troubleshooting and I cannot believe the fix also have no idea how it could
possibly related to SFTP. I verified this in a lab environment, same exact
results. Very simply, remove the "inspect skinny" from your inspection
policy, hopefully you are not running cisco voice thru the ASA and need that
inspect.

-Brian

On Sat, 06 Jan 2007 12:55:37 -0500, Brian V wrote:

>
> "Doc" <> wrote in message
> news:KYPnh.9286$ t...
>> Wil Schultz wrote:
>>> K.J. 44 wrote:
>>>> Hi,
>>>>
>>>> I have opened port 22 in my firewall and am trying to connect to an
>>>> SFTP server. When I connect (using WinSCP3) and sniff with ethereal, I
>>>> can see three syn packets coming out and one response from the server
>>>> that is RST-ACK. I am not sure what is going on. All the client says
>>>> is "Network error: Connection Timed Out"
>>>>
>>>> Thanks for any suggestions.
>>>>
>>>
>>> You must have an error in your config, you should correct the error.
>>>
>>> -Wil
>>>
>> ambiguous there
>
> I just ran in to this at a customers last night. Took hours of
> troubleshooting and I cannot believe the fix also have no idea how it could
> possibly related to SFTP. I verified this in a lab environment, same exact
> results. Very simply, remove the "inspect skinny" from your inspection
> policy, hopefully you are not running cisco voice thru the ASA and need that
> inspect.
>
> -Brian

Really - Per the following it can't be done.

http://www.cisco.com/en/US/products/...80094874.shtml


Q. Is SFTP supported through the PIX?

A. No. In a typical FTP connection, either the client or the server must tell the other what port to use for data transfer. The PIX is able to inspect this conversation and open that port. However, with SFTP this conversation is encrypted and the PIX is unable to determine what ports to open and the SFTP connection ultimately fails.

One possible workaround in this situation is to use an SFTP client
that supports the use of a "clear data channel." With this option
enabled, the PIX should be able to determine what port needs to be
opened.

"none" <> wrote in message
news...
> On Sat, 06 Jan 2007 12:55:37 -0500, Brian V wrote:
>
>>
>> "Doc" <> wrote in message
>> news:KYPnh.9286$ t...
>>> Wil Schultz wrote:
>>>> K.J. 44 wrote:
>>>>> Hi,
>>>>>
>>>>> I have opened port 22 in my firewall and am trying to connect to an
>>>>> SFTP server. When I connect (using WinSCP3) and sniff with ethereal,
>>>>> I
>>>>> can see three syn packets coming out and one response from the server
>>>>> that is RST-ACK. I am not sure what is going on. All the client
>>>>> says
>>>>> is "Network error: Connection Timed Out"
>>>>>
>>>>> Thanks for any suggestions.
>>>>>
>>>>
>>>> You must have an error in your config, you should correct the error.
>>>>
>>>> -Wil
>>>>
>>> ambiguous there
>>
>> I just ran in to this at a customers last night. Took hours of
>> troubleshooting and I cannot believe the fix also have no idea how it
>> could
>> possibly related to SFTP. I verified this in a lab environment, same
>> exact
>> results. Very simply, remove the "inspect skinny" from your inspection
>> policy, hopefully you are not running cisco voice thru the ASA and need
>> that
>> inspect.
>>
>> -Brian
>
> Really - Per the following it can't be done.
>
> http://www.cisco.com/en/US/products/...80094874.shtml
>
>
> Q. Is SFTP supported through the PIX?
>
> A. No. In a typical FTP connection, either the client or the server
> must tell the other what port to use for data transfer. The PIX is able to
> inspect this conversation and open that port. However, with SFTP this
> conversation is encrypted and the PIX is unable to determine what ports to
> open and the SFTP connection ultimately fails.
>
> One possible workaround in this situation is to use an SFTP client
> that supports the use of a "clear data channel." With this option
> enabled, the PIX should be able to determine what port needs to be
> opened.
>

That is for clientless SFTP which atleast around here is very rarely used.

-Brian

Brian V wrote:
> "none" <> wrote in message
> news...
> > On Sat, 06 Jan 2007 12:55:37 -0500, Brian V wrote:
> >
> >>
> >> "Doc" <> wrote in message
> >> news:KYPnh.9286$ t...
> >>> Wil Schultz wrote:
> >>>> K.J. 44 wrote:
> >>>>> Hi,
> >>>>>
> >>>>> I have opened port 22 in my firewall and am trying to connect to an
> >>>>> SFTP server. When I connect (using WinSCP3) and sniff with ethereal,
> >>>>> I
> >>>>> can see three syn packets coming out and one response from the server
> >>>>> that is RST-ACK. I am not sure what is going on. All the client
> >>>>> says
> >>>>> is "Network error: Connection Timed Out"
> >>>>>
> >>>>> Thanks for any suggestions.
> >>>>>
> >>>>
> >>>> You must have an error in your config, you should correct the error.
> >>>>
> >>>> -Wil
> >>>>
> >>> ambiguous there
> >>
> >> I just ran in to this at a customers last night. Took hours of
> >> troubleshooting and I cannot believe the fix also have no idea how it
> >> could
> >> possibly related to SFTP. I verified this in a lab environment, same
> >> exact
> >> results. Very simply, remove the "inspect skinny" from your inspection
> >> policy, hopefully you are not running cisco voice thru the ASA and need
> >> that
> >> inspect.
> >>
> >> -Brian
> >
> > Really - Per the following it can't be done.
> >
> > http://www.cisco.com/en/US/products/...80094874.shtml
> >
> >
> > Q. Is SFTP supported through the PIX?
> >
> > A. No. In a typical FTP connection, either the client or the server
> > must tell the other what port to use for data transfer. The PIX is able to
> > inspect this conversation and open that port. However, with SFTP this
> > conversation is encrypted and the PIX is unable to determine what ports to
> > open and the SFTP connection ultimately fails.
> >
> > One possible workaround in this situation is to use an SFTP client
> > that supports the use of a "clear data channel." With this option
> > enabled, the PIX should be able to determine what port needs to be
> > opened.
> >
>
> That is for clientless SFTP which atleast around here is very rarely used.
>
> -Brian

Why would this occur at all? Isn't SFTP a single port service?
Doesn't it simply use port 22? If that is the case, if port 22 was
open why would the pix stop it at all? If it was encrypted it wouldn't
see what kind of traffic it is and would see it going on port 22 and
let it through if that was opened???

* K.J. 44 wrote:
> Why would this occur at all? Isn't SFTP a single port service?

There are several versions of enhanced FTP out there and usually confused in
any possible way. The three most common variants are SFTP, FTPS, and
Secure-FTP.

SFTP and Secure-FTP use the normal FTP Protocol (and Port incl. Port
allocation schema), but optionally encrypt the command channel and/or the
data channels.

SFTP uses Stunnel(aka SSL) for each type of FTP-communication channel.
Secure-FTP is braindead and broken.

FTPS is an SSH application similar to SCP. FTPS is much more featured than
SCP.

Only FTPS can pass the PIX.

In order to pass SFTP or Secure-FTP through a PIX you need:
- Set passive mode on the client.
- Create an access-list matching all TCP traffic to the server.
- Use this access-list to inhibit any inspection.
- PAT all data to this server.

If you like to use active mode, you need a 1:1 NAT for your inside addresses.

Have fun.

Lutz Donnerhacke wrote:
> * K.J. 44 wrote:
> > Why would this occur at all? Isn't SFTP a single port service?
>
> There are several versions of enhanced FTP out there and usually confused in
> any possible way. The three most common variants are SFTP, FTPS, and
> Secure-FTP.
>
> SFTP and Secure-FTP use the normal FTP Protocol (and Port incl. Port
> allocation schema), but optionally encrypt the command channel and/or the
> data channels.
>
> SFTP uses Stunnel(aka SSL) for each type of FTP-communication channel.
> Secure-FTP is braindead and broken.
>
> FTPS is an SSH application similar to SCP. FTPS is much more featured than
> SCP.
>
> Only FTPS can pass the PIX.
>
> In order to pass SFTP or Secure-FTP through a PIX you need:
> - Set passive mode on the client.
> - Create an access-list matching all TCP traffic to the server.
> - Use this access-list to inhibit any inspection.
> - PAT all data to this server.
>
> If you like to use active mode, you need a 1:1 NAT for your inside addresses.
>
> Have fun.

I did not realize there were so many different flavors. Well, the
company I am trying to connect to told me it was an SFTP connection,
however, there server is named ftps. What client should I use to
connect to a FTPS connection? I am currently using WinSCP but getting
that network error. I see 3 SYN packets headed to the IP of the server
on port 22 but I only get a RST-ACK back from the server. Perhaps they
are using one of the other flavors while I am trying to connect to FTPS
on port 22? Maybe that is why the server responds with a RST-ACK? But
if that was the case I would assume that the server would not respond
at all.

THanks for your help.