Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > SFTP problem - Something in my ASA?

Reply
Thread Tools

SFTP problem - Something in my ASA?

 
 
K.J. 44
Guest
Posts: n/a
 
      01-05-2007
Hi,

I have opened port 22 in my firewall and am trying to connect to an
SFTP server. When I connect (using WinSCP3) and sniff with ethereal, I
can see three syn packets coming out and one response from the server
that is RST-ACK. I am not sure what is going on. All the client says
is "Network error: Connection Timed Out"

Thanks for any suggestions.

 
Reply With Quote
 
 
 
 
Wil Schultz
Guest
Posts: n/a
 
      01-06-2007
K.J. 44 wrote:
> Hi,
>
> I have opened port 22 in my firewall and am trying to connect to an
> SFTP server. When I connect (using WinSCP3) and sniff with ethereal, I
> can see three syn packets coming out and one response from the server
> that is RST-ACK. I am not sure what is going on. All the client says
> is "Network error: Connection Timed Out"
>
> Thanks for any suggestions.
>


You must have an error in your config, you should correct the error.

-Wil

 
Reply With Quote
 
 
 
 
Doc
Guest
Posts: n/a
 
      01-06-2007
Wil Schultz wrote:
> K.J. 44 wrote:
>> Hi,
>>
>> I have opened port 22 in my firewall and am trying to connect to an
>> SFTP server. When I connect (using WinSCP3) and sniff with ethereal, I
>> can see three syn packets coming out and one response from the server
>> that is RST-ACK. I am not sure what is going on. All the client says
>> is "Network error: Connection Timed Out"
>>
>> Thanks for any suggestions.
>>

>
> You must have an error in your config, you should correct the error.
>
> -Wil
>

ambiguous there
 
Reply With Quote
 
Wil Schultz
Guest
Posts: n/a
 
      01-06-2007
Doc wrote:
> Wil Schultz wrote:
>> K.J. 44 wrote:
>>> Hi,
>>>
>>> I have opened port 22 in my firewall and am trying to connect to an
>>> SFTP server. When I connect (using WinSCP3) and sniff with ethereal, I
>>> can see three syn packets coming out and one response from the server
>>> that is RST-ACK. I am not sure what is going on. All the client says
>>> is "Network error: Connection Timed Out"
>>>
>>> Thanks for any suggestions.
>>>

>>
>> You must have an error in your config, you should correct the error.
>>
>> -Wil
>>

> ambiguous there


With the amount of information that was given to help resolve, this
seemed like a reasonable answer. Okay, I'll try to be more helpful

Is there a proper static in place to go with the SSH rule and do you see
log entries that point toward the problem? Is this working while not
traversing the PIX? Possibly a sanitized portion of the config can be
posted.

-Wil
 
Reply With Quote
 
Brian V
Guest
Posts: n/a
 
      01-06-2007

"Doc" <(E-Mail Removed)> wrote in message
news:KYPnh.9286$(E-Mail Removed) t...
> Wil Schultz wrote:
>> K.J. 44 wrote:
>>> Hi,
>>>
>>> I have opened port 22 in my firewall and am trying to connect to an
>>> SFTP server. When I connect (using WinSCP3) and sniff with ethereal, I
>>> can see three syn packets coming out and one response from the server
>>> that is RST-ACK. I am not sure what is going on. All the client says
>>> is "Network error: Connection Timed Out"
>>>
>>> Thanks for any suggestions.
>>>

>>
>> You must have an error in your config, you should correct the error.
>>
>> -Wil
>>

> ambiguous there


I just ran in to this at a customers last night. Took hours of
troubleshooting and I cannot believe the fix also have no idea how it could
possibly related to SFTP. I verified this in a lab environment, same exact
results. Very simply, remove the "inspect skinny" from your inspection
policy, hopefully you are not running cisco voice thru the ASA and need that
inspect.

-Brian


 
Reply With Quote
 
none
Guest
Posts: n/a
 
      01-09-2007
On Sat, 06 Jan 2007 12:55:37 -0500, Brian V wrote:

>
> "Doc" <(E-Mail Removed)> wrote in message
> news:KYPnh.9286$(E-Mail Removed) t...
>> Wil Schultz wrote:
>>> K.J. 44 wrote:
>>>> Hi,
>>>>
>>>> I have opened port 22 in my firewall and am trying to connect to an
>>>> SFTP server. When I connect (using WinSCP3) and sniff with ethereal, I
>>>> can see three syn packets coming out and one response from the server
>>>> that is RST-ACK. I am not sure what is going on. All the client says
>>>> is "Network error: Connection Timed Out"
>>>>
>>>> Thanks for any suggestions.
>>>>
>>>
>>> You must have an error in your config, you should correct the error.
>>>
>>> -Wil
>>>

>> ambiguous there

>
> I just ran in to this at a customers last night. Took hours of
> troubleshooting and I cannot believe the fix also have no idea how it could
> possibly related to SFTP. I verified this in a lab environment, same exact
> results. Very simply, remove the "inspect skinny" from your inspection
> policy, hopefully you are not running cisco voice thru the ASA and need that
> inspect.
>
> -Brian


Really - Per the following it can't be done.

http://www.cisco.com/en/US/products/...80094874.shtml


Q. Is SFTP supported through the PIX?

A. No. In a typical FTP connection, either the client or the server must tell the other what port to use for data transfer. The PIX is able to inspect this conversation and open that port. However, with SFTP this conversation is encrypted and the PIX is unable to determine what ports to open and the SFTP connection ultimately fails.

One possible workaround in this situation is to use an SFTP client
that supports the use of a "clear data channel." With this option
enabled, the PIX should be able to determine what port needs to be
opened.

 
Reply With Quote
 
Brian V
Guest
Posts: n/a
 
      01-09-2007

"none" <(E-Mail Removed)> wrote in message
news(E-Mail Removed)...
> On Sat, 06 Jan 2007 12:55:37 -0500, Brian V wrote:
>
>>
>> "Doc" <(E-Mail Removed)> wrote in message
>> news:KYPnh.9286$(E-Mail Removed) t...
>>> Wil Schultz wrote:
>>>> K.J. 44 wrote:
>>>>> Hi,
>>>>>
>>>>> I have opened port 22 in my firewall and am trying to connect to an
>>>>> SFTP server. When I connect (using WinSCP3) and sniff with ethereal,
>>>>> I
>>>>> can see three syn packets coming out and one response from the server
>>>>> that is RST-ACK. I am not sure what is going on. All the client
>>>>> says
>>>>> is "Network error: Connection Timed Out"
>>>>>
>>>>> Thanks for any suggestions.
>>>>>
>>>>
>>>> You must have an error in your config, you should correct the error.
>>>>
>>>> -Wil
>>>>
>>> ambiguous there

>>
>> I just ran in to this at a customers last night. Took hours of
>> troubleshooting and I cannot believe the fix also have no idea how it
>> could
>> possibly related to SFTP. I verified this in a lab environment, same
>> exact
>> results. Very simply, remove the "inspect skinny" from your inspection
>> policy, hopefully you are not running cisco voice thru the ASA and need
>> that
>> inspect.
>>
>> -Brian

>
> Really - Per the following it can't be done.
>
> http://www.cisco.com/en/US/products/...80094874.shtml
>
>
> Q. Is SFTP supported through the PIX?
>
> A. No. In a typical FTP connection, either the client or the server
> must tell the other what port to use for data transfer. The PIX is able to
> inspect this conversation and open that port. However, with SFTP this
> conversation is encrypted and the PIX is unable to determine what ports to
> open and the SFTP connection ultimately fails.
>
> One possible workaround in this situation is to use an SFTP client
> that supports the use of a "clear data channel." With this option
> enabled, the PIX should be able to determine what port needs to be
> opened.
>


That is for clientless SFTP which atleast around here is very rarely used.

-Brian


 
Reply With Quote
 
K.J. 44
Guest
Posts: n/a
 
      01-09-2007

Brian V wrote:
> "none" <(E-Mail Removed)> wrote in message
> news(E-Mail Removed)...
> > On Sat, 06 Jan 2007 12:55:37 -0500, Brian V wrote:
> >
> >>
> >> "Doc" <(E-Mail Removed)> wrote in message
> >> news:KYPnh.9286$(E-Mail Removed) t...
> >>> Wil Schultz wrote:
> >>>> K.J. 44 wrote:
> >>>>> Hi,
> >>>>>
> >>>>> I have opened port 22 in my firewall and am trying to connect to an
> >>>>> SFTP server. When I connect (using WinSCP3) and sniff with ethereal,
> >>>>> I
> >>>>> can see three syn packets coming out and one response from the server
> >>>>> that is RST-ACK. I am not sure what is going on. All the client
> >>>>> says
> >>>>> is "Network error: Connection Timed Out"
> >>>>>
> >>>>> Thanks for any suggestions.
> >>>>>
> >>>>
> >>>> You must have an error in your config, you should correct the error.
> >>>>
> >>>> -Wil
> >>>>
> >>> ambiguous there
> >>
> >> I just ran in to this at a customers last night. Took hours of
> >> troubleshooting and I cannot believe the fix also have no idea how it
> >> could
> >> possibly related to SFTP. I verified this in a lab environment, same
> >> exact
> >> results. Very simply, remove the "inspect skinny" from your inspection
> >> policy, hopefully you are not running cisco voice thru the ASA and need
> >> that
> >> inspect.
> >>
> >> -Brian

> >
> > Really - Per the following it can't be done.
> >
> > http://www.cisco.com/en/US/products/...80094874.shtml
> >
> >
> > Q. Is SFTP supported through the PIX?
> >
> > A. No. In a typical FTP connection, either the client or the server
> > must tell the other what port to use for data transfer. The PIX is able to
> > inspect this conversation and open that port. However, with SFTP this
> > conversation is encrypted and the PIX is unable to determine what ports to
> > open and the SFTP connection ultimately fails.
> >
> > One possible workaround in this situation is to use an SFTP client
> > that supports the use of a "clear data channel." With this option
> > enabled, the PIX should be able to determine what port needs to be
> > opened.
> >

>
> That is for clientless SFTP which atleast around here is very rarely used.
>
> -Brian


Why would this occur at all? Isn't SFTP a single port service?
Doesn't it simply use port 22? If that is the case, if port 22 was
open why would the pix stop it at all? If it was encrypted it wouldn't
see what kind of traffic it is and would see it going on port 22 and
let it through if that was opened???

 
Reply With Quote
 
Lutz Donnerhacke
Guest
Posts: n/a
 
      01-09-2007
* K.J. 44 wrote:
> Why would this occur at all? Isn't SFTP a single port service?


There are several versions of enhanced FTP out there and usually confused in
any possible way. The three most common variants are SFTP, FTPS, and
Secure-FTP.

SFTP and Secure-FTP use the normal FTP Protocol (and Port incl. Port
allocation schema), but optionally encrypt the command channel and/or the
data channels.

SFTP uses Stunnel(aka SSL) for each type of FTP-communication channel.
Secure-FTP is braindead and broken.

FTPS is an SSH application similar to SCP. FTPS is much more featured than
SCP.

Only FTPS can pass the PIX.

In order to pass SFTP or Secure-FTP through a PIX you need:
- Set passive mode on the client.
- Create an access-list matching all TCP traffic to the server.
- Use this access-list to inhibit any inspection.
- PAT all data to this server.

If you like to use active mode, you need a 1:1 NAT for your inside addresses.

Have fun.
 
Reply With Quote
 
K.J. 44
Guest
Posts: n/a
 
      01-10-2007

Lutz Donnerhacke wrote:
> * K.J. 44 wrote:
> > Why would this occur at all? Isn't SFTP a single port service?

>
> There are several versions of enhanced FTP out there and usually confused in
> any possible way. The three most common variants are SFTP, FTPS, and
> Secure-FTP.
>
> SFTP and Secure-FTP use the normal FTP Protocol (and Port incl. Port
> allocation schema), but optionally encrypt the command channel and/or the
> data channels.
>
> SFTP uses Stunnel(aka SSL) for each type of FTP-communication channel.
> Secure-FTP is braindead and broken.
>
> FTPS is an SSH application similar to SCP. FTPS is much more featured than
> SCP.
>
> Only FTPS can pass the PIX.
>
> In order to pass SFTP or Secure-FTP through a PIX you need:
> - Set passive mode on the client.
> - Create an access-list matching all TCP traffic to the server.
> - Use this access-list to inhibit any inspection.
> - PAT all data to this server.
>
> If you like to use active mode, you need a 1:1 NAT for your inside addresses.
>
> Have fun.


I did not realize there were so many different flavors. Well, the
company I am trying to connect to told me it was an SFTP connection,
however, there server is named ftps. What client should I use to
connect to a FTPS connection? I am currently using WinSCP but getting
that network error. I see 3 SYN packets headed to the IP of the server
on port 22 but I only get a RST-ACK back from the server. Perhaps they
are using one of the other flavors while I am trying to connect to FTPS
on port 22? Maybe that is why the server responds with a RST-ACK? But
if that was the case I would assume that the server would not respond
at all.

THanks for your help.

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Failed connection to sftp server via Net::SFTP Kevin13 Perl Misc 3 12-01-2009 09:15 PM
Net::SFTP Fails, sftp OK MaggotChild Perl Misc 2 10-29-2009 11:01 AM
sftp problem! sa6113 Python 4 10-06-2008 08:02 AM
Re: twisted: problem with sftp-client Jean-Paul Calderone Python 0 01-23-2008 03:31 PM
twisted: problem with sftp-client Kristian Domke Python 0 01-23-2008 02:43 PM



Advertisments