SFTP problem - Something in my ASA?

Discussion in 'Cisco' started by K.J. 44, Jan 5, 2007.

  1. K.J. 44

    K.J. 44 Guest

    Hi,

    I have opened port 22 in my firewall and am trying to connect to an
    SFTP server. When I connect (using WinSCP3) and sniff with ethereal, I
    can see three syn packets coming out and one response from the server
    that is RST-ACK. I am not sure what is going on. All the client says
    is "Network error: Connection Timed Out"

    Thanks for any suggestions.
     
    K.J. 44, Jan 5, 2007
    #1
    1. Advertising

  2. K.J. 44

    Wil Schultz Guest

    K.J. 44 wrote:
    > Hi,
    >
    > I have opened port 22 in my firewall and am trying to connect to an
    > SFTP server. When I connect (using WinSCP3) and sniff with ethereal, I
    > can see three syn packets coming out and one response from the server
    > that is RST-ACK. I am not sure what is going on. All the client says
    > is "Network error: Connection Timed Out"
    >
    > Thanks for any suggestions.
    >


    You must have an error in your config, you should correct the error.

    -Wil
     
    Wil Schultz, Jan 6, 2007
    #2
    1. Advertising

  3. K.J. 44

    Doc Guest

    Wil Schultz wrote:
    > K.J. 44 wrote:
    >> Hi,
    >>
    >> I have opened port 22 in my firewall and am trying to connect to an
    >> SFTP server. When I connect (using WinSCP3) and sniff with ethereal, I
    >> can see three syn packets coming out and one response from the server
    >> that is RST-ACK. I am not sure what is going on. All the client says
    >> is "Network error: Connection Timed Out"
    >>
    >> Thanks for any suggestions.
    >>

    >
    > You must have an error in your config, you should correct the error.
    >
    > -Wil
    >

    ambiguous there
     
    Doc, Jan 6, 2007
    #3
  4. K.J. 44

    Wil Schultz Guest

    Doc wrote:
    > Wil Schultz wrote:
    >> K.J. 44 wrote:
    >>> Hi,
    >>>
    >>> I have opened port 22 in my firewall and am trying to connect to an
    >>> SFTP server. When I connect (using WinSCP3) and sniff with ethereal, I
    >>> can see three syn packets coming out and one response from the server
    >>> that is RST-ACK. I am not sure what is going on. All the client says
    >>> is "Network error: Connection Timed Out"
    >>>
    >>> Thanks for any suggestions.
    >>>

    >>
    >> You must have an error in your config, you should correct the error.
    >>
    >> -Wil
    >>

    > ambiguous there


    With the amount of information that was given to help resolve, this
    seemed like a reasonable answer. Okay, I'll try to be more helpful :)

    Is there a proper static in place to go with the SSH rule and do you see
    log entries that point toward the problem? Is this working while not
    traversing the PIX? Possibly a sanitized portion of the config can be
    posted.

    -Wil
     
    Wil Schultz, Jan 6, 2007
    #4
  5. K.J. 44

    Brian V Guest

    "Doc" <> wrote in message
    news:KYPnh.9286$...
    > Wil Schultz wrote:
    >> K.J. 44 wrote:
    >>> Hi,
    >>>
    >>> I have opened port 22 in my firewall and am trying to connect to an
    >>> SFTP server. When I connect (using WinSCP3) and sniff with ethereal, I
    >>> can see three syn packets coming out and one response from the server
    >>> that is RST-ACK. I am not sure what is going on. All the client says
    >>> is "Network error: Connection Timed Out"
    >>>
    >>> Thanks for any suggestions.
    >>>

    >>
    >> You must have an error in your config, you should correct the error.
    >>
    >> -Wil
    >>

    > ambiguous there


    I just ran in to this at a customers last night. Took hours of
    troubleshooting and I cannot believe the fix also have no idea how it could
    possibly related to SFTP. I verified this in a lab environment, same exact
    results. Very simply, remove the "inspect skinny" from your inspection
    policy, hopefully you are not running cisco voice thru the ASA and need that
    inspect.

    -Brian
     
    Brian V, Jan 6, 2007
    #5
  6. K.J. 44

    none Guest

    On Sat, 06 Jan 2007 12:55:37 -0500, Brian V wrote:

    >
    > "Doc" <> wrote in message
    > news:KYPnh.9286$...
    >> Wil Schultz wrote:
    >>> K.J. 44 wrote:
    >>>> Hi,
    >>>>
    >>>> I have opened port 22 in my firewall and am trying to connect to an
    >>>> SFTP server. When I connect (using WinSCP3) and sniff with ethereal, I
    >>>> can see three syn packets coming out and one response from the server
    >>>> that is RST-ACK. I am not sure what is going on. All the client says
    >>>> is "Network error: Connection Timed Out"
    >>>>
    >>>> Thanks for any suggestions.
    >>>>
    >>>
    >>> You must have an error in your config, you should correct the error.
    >>>
    >>> -Wil
    >>>

    >> ambiguous there

    >
    > I just ran in to this at a customers last night. Took hours of
    > troubleshooting and I cannot believe the fix also have no idea how it could
    > possibly related to SFTP. I verified this in a lab environment, same exact
    > results. Very simply, remove the "inspect skinny" from your inspection
    > policy, hopefully you are not running cisco voice thru the ASA and need that
    > inspect.
    >
    > -Brian


    Really - Per the following it can't be done.

    http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_qanda_item09186a0080094874.shtml


    Q. Is SFTP supported through the PIX?

    A. No. In a typical FTP connection, either the client or the server must tell the other what port to use for data transfer. The PIX is able to inspect this conversation and open that port. However, with SFTP this conversation is encrypted and the PIX is unable to determine what ports to open and the SFTP connection ultimately fails.

    One possible workaround in this situation is to use an SFTP client
    that supports the use of a "clear data channel." With this option
    enabled, the PIX should be able to determine what port needs to be
    opened.
     
    none, Jan 9, 2007
    #6
  7. K.J. 44

    Brian V Guest

    "none" <> wrote in message
    news:p...
    > On Sat, 06 Jan 2007 12:55:37 -0500, Brian V wrote:
    >
    >>
    >> "Doc" <> wrote in message
    >> news:KYPnh.9286$...
    >>> Wil Schultz wrote:
    >>>> K.J. 44 wrote:
    >>>>> Hi,
    >>>>>
    >>>>> I have opened port 22 in my firewall and am trying to connect to an
    >>>>> SFTP server. When I connect (using WinSCP3) and sniff with ethereal,
    >>>>> I
    >>>>> can see three syn packets coming out and one response from the server
    >>>>> that is RST-ACK. I am not sure what is going on. All the client
    >>>>> says
    >>>>> is "Network error: Connection Timed Out"
    >>>>>
    >>>>> Thanks for any suggestions.
    >>>>>
    >>>>
    >>>> You must have an error in your config, you should correct the error.
    >>>>
    >>>> -Wil
    >>>>
    >>> ambiguous there

    >>
    >> I just ran in to this at a customers last night. Took hours of
    >> troubleshooting and I cannot believe the fix also have no idea how it
    >> could
    >> possibly related to SFTP. I verified this in a lab environment, same
    >> exact
    >> results. Very simply, remove the "inspect skinny" from your inspection
    >> policy, hopefully you are not running cisco voice thru the ASA and need
    >> that
    >> inspect.
    >>
    >> -Brian

    >
    > Really - Per the following it can't be done.
    >
    > http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_qanda_item09186a0080094874.shtml
    >
    >
    > Q. Is SFTP supported through the PIX?
    >
    > A. No. In a typical FTP connection, either the client or the server
    > must tell the other what port to use for data transfer. The PIX is able to
    > inspect this conversation and open that port. However, with SFTP this
    > conversation is encrypted and the PIX is unable to determine what ports to
    > open and the SFTP connection ultimately fails.
    >
    > One possible workaround in this situation is to use an SFTP client
    > that supports the use of a "clear data channel." With this option
    > enabled, the PIX should be able to determine what port needs to be
    > opened.
    >


    That is for clientless SFTP which atleast around here is very rarely used.

    -Brian
     
    Brian V, Jan 9, 2007
    #7
  8. K.J. 44

    K.J. 44 Guest

    Brian V wrote:
    > "none" <> wrote in message
    > news:p...
    > > On Sat, 06 Jan 2007 12:55:37 -0500, Brian V wrote:
    > >
    > >>
    > >> "Doc" <> wrote in message
    > >> news:KYPnh.9286$...
    > >>> Wil Schultz wrote:
    > >>>> K.J. 44 wrote:
    > >>>>> Hi,
    > >>>>>
    > >>>>> I have opened port 22 in my firewall and am trying to connect to an
    > >>>>> SFTP server. When I connect (using WinSCP3) and sniff with ethereal,
    > >>>>> I
    > >>>>> can see three syn packets coming out and one response from the server
    > >>>>> that is RST-ACK. I am not sure what is going on. All the client
    > >>>>> says
    > >>>>> is "Network error: Connection Timed Out"
    > >>>>>
    > >>>>> Thanks for any suggestions.
    > >>>>>
    > >>>>
    > >>>> You must have an error in your config, you should correct the error.
    > >>>>
    > >>>> -Wil
    > >>>>
    > >>> ambiguous there
    > >>
    > >> I just ran in to this at a customers last night. Took hours of
    > >> troubleshooting and I cannot believe the fix also have no idea how it
    > >> could
    > >> possibly related to SFTP. I verified this in a lab environment, same
    > >> exact
    > >> results. Very simply, remove the "inspect skinny" from your inspection
    > >> policy, hopefully you are not running cisco voice thru the ASA and need
    > >> that
    > >> inspect.
    > >>
    > >> -Brian

    > >
    > > Really - Per the following it can't be done.
    > >
    > > http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_qanda_item09186a0080094874.shtml
    > >
    > >
    > > Q. Is SFTP supported through the PIX?
    > >
    > > A. No. In a typical FTP connection, either the client or the server
    > > must tell the other what port to use for data transfer. The PIX is able to
    > > inspect this conversation and open that port. However, with SFTP this
    > > conversation is encrypted and the PIX is unable to determine what ports to
    > > open and the SFTP connection ultimately fails.
    > >
    > > One possible workaround in this situation is to use an SFTP client
    > > that supports the use of a "clear data channel." With this option
    > > enabled, the PIX should be able to determine what port needs to be
    > > opened.
    > >

    >
    > That is for clientless SFTP which atleast around here is very rarely used.
    >
    > -Brian


    Why would this occur at all? Isn't SFTP a single port service?
    Doesn't it simply use port 22? If that is the case, if port 22 was
    open why would the pix stop it at all? If it was encrypted it wouldn't
    see what kind of traffic it is and would see it going on port 22 and
    let it through if that was opened???
     
    K.J. 44, Jan 9, 2007
    #8
  9. * K.J. 44 wrote:
    > Why would this occur at all? Isn't SFTP a single port service?


    There are several versions of enhanced FTP out there and usually confused in
    any possible way. The three most common variants are SFTP, FTPS, and
    Secure-FTP.

    SFTP and Secure-FTP use the normal FTP Protocol (and Port incl. Port
    allocation schema), but optionally encrypt the command channel and/or the
    data channels.

    SFTP uses Stunnel(aka SSL) for each type of FTP-communication channel.
    Secure-FTP is braindead and broken.

    FTPS is an SSH application similar to SCP. FTPS is much more featured than
    SCP.

    Only FTPS can pass the PIX.

    In order to pass SFTP or Secure-FTP through a PIX you need:
    - Set passive mode on the client.
    - Create an access-list matching all TCP traffic to the server.
    - Use this access-list to inhibit any inspection.
    - PAT all data to this server.

    If you like to use active mode, you need a 1:1 NAT for your inside addresses.

    Have fun.
     
    Lutz Donnerhacke, Jan 9, 2007
    #9
  10. K.J. 44

    K.J. 44 Guest

    Lutz Donnerhacke wrote:
    > * K.J. 44 wrote:
    > > Why would this occur at all? Isn't SFTP a single port service?

    >
    > There are several versions of enhanced FTP out there and usually confused in
    > any possible way. The three most common variants are SFTP, FTPS, and
    > Secure-FTP.
    >
    > SFTP and Secure-FTP use the normal FTP Protocol (and Port incl. Port
    > allocation schema), but optionally encrypt the command channel and/or the
    > data channels.
    >
    > SFTP uses Stunnel(aka SSL) for each type of FTP-communication channel.
    > Secure-FTP is braindead and broken.
    >
    > FTPS is an SSH application similar to SCP. FTPS is much more featured than
    > SCP.
    >
    > Only FTPS can pass the PIX.
    >
    > In order to pass SFTP or Secure-FTP through a PIX you need:
    > - Set passive mode on the client.
    > - Create an access-list matching all TCP traffic to the server.
    > - Use this access-list to inhibit any inspection.
    > - PAT all data to this server.
    >
    > If you like to use active mode, you need a 1:1 NAT for your inside addresses.
    >
    > Have fun.


    I did not realize there were so many different flavors. Well, the
    company I am trying to connect to told me it was an SFTP connection,
    however, there server is named ftps. What client should I use to
    connect to a FTPS connection? I am currently using WinSCP but getting
    that network error. I see 3 SYN packets headed to the IP of the server
    on port 22 but I only get a RST-ACK back from the server. Perhaps they
    are using one of the other flavors while I am trying to connect to FTPS
    on port 22? Maybe that is why the server responds with a RST-ACK? But
    if that was the case I would assume that the server would not respond
    at all.

    THanks for your help.
     
    K.J. 44, Jan 10, 2007
    #10
  11. * K.J. 44 wrote:
    > company I am trying to connect to told me it was an SFTP connection,
    > however, there server is named ftps. What client should I use to
    > connect to a FTPS connection?


    Ask them.

    > I am currently using WinSCP but getting that network error. Perhaps they
    > are using one of the other flavors while I am trying to connect to FTPS
    > on port 22?


    This are not flavors, this are completely different protocols. You are
    right, they use an other protocol.
     
    Lutz Donnerhacke, Jan 10, 2007
    #11
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Irony Alert

    SFTP

    Irony Alert, Apr 16, 2004, in forum: Computer Support
    Replies:
    0
    Views:
    919
    Irony Alert
    Apr 16, 2004
  2. jg

    freeware SFTP utility ?

    jg, Jun 20, 2004, in forum: Computer Security
    Replies:
    5
    Views:
    3,274
    midia
    Jun 21, 2004
  3. Replies:
    3
    Views:
    844
  4. vbMark

    SFTP via SSHWindows/OpenSSH qustion.

    vbMark, Mar 6, 2006, in forum: Computer Support
    Replies:
    1
    Views:
    813
  5. muhamed

    Mikrotik routerboard backup using SFTP

    muhamed, Nov 7, 2012, in forum: General Computer Support
    Replies:
    2
    Views:
    2,327
    pondshus2
    Oct 25, 2013
Loading...

Share This Page