SFTP problem - Something in my ASA?

Discussion in 'Cisco' started by K.J. 44, Jan 5, 2007.

  1. K.J. 44

    K.J. 44 Guest


    I have opened port 22 in my firewall and am trying to connect to an
    SFTP server. When I connect (using WinSCP3) and sniff with ethereal, I
    can see three syn packets coming out and one response from the server
    that is RST-ACK. I am not sure what is going on. All the client says
    is "Network error: Connection Timed Out"

    Thanks for any suggestions.
    K.J. 44, Jan 5, 2007
    1. Advertisements

  2. K.J. 44

    Wil Schultz Guest

    You must have an error in your config, you should correct the error.

    Wil Schultz, Jan 6, 2007
    1. Advertisements

  3. K.J. 44

    Doc Guest

    ambiguous there
    Doc, Jan 6, 2007
  4. K.J. 44

    Wil Schultz Guest

    With the amount of information that was given to help resolve, this
    seemed like a reasonable answer. Okay, I'll try to be more helpful :)

    Is there a proper static in place to go with the SSH rule and do you see
    log entries that point toward the problem? Is this working while not
    traversing the PIX? Possibly a sanitized portion of the config can be

    Wil Schultz, Jan 6, 2007
  5. K.J. 44

    Brian V Guest

    I just ran in to this at a customers last night. Took hours of
    troubleshooting and I cannot believe the fix also have no idea how it could
    possibly related to SFTP. I verified this in a lab environment, same exact
    results. Very simply, remove the "inspect skinny" from your inspection
    policy, hopefully you are not running cisco voice thru the ASA and need that

    Brian V, Jan 6, 2007
  6. K.J. 44

    none Guest

    Really - Per the following it can't be done.


    Q. Is SFTP supported through the PIX?

    A. No. In a typical FTP connection, either the client or the server must tell the other what port to use for data transfer. The PIX is able to inspect this conversation and open that port. However, with SFTP this conversation is encrypted and the PIX is unable to determine what ports to open and the SFTP connection ultimately fails.

    One possible workaround in this situation is to use an SFTP client
    that supports the use of a "clear data channel." With this option
    enabled, the PIX should be able to determine what port needs to be
    none, Jan 9, 2007
  7. K.J. 44

    Brian V Guest

    That is for clientless SFTP which atleast around here is very rarely used.

    Brian V, Jan 9, 2007
  8. K.J. 44

    K.J. 44 Guest

    Why would this occur at all? Isn't SFTP a single port service?
    Doesn't it simply use port 22? If that is the case, if port 22 was
    open why would the pix stop it at all? If it was encrypted it wouldn't
    see what kind of traffic it is and would see it going on port 22 and
    let it through if that was opened???
    K.J. 44, Jan 9, 2007
  9. There are several versions of enhanced FTP out there and usually confused in
    any possible way. The three most common variants are SFTP, FTPS, and

    SFTP and Secure-FTP use the normal FTP Protocol (and Port incl. Port
    allocation schema), but optionally encrypt the command channel and/or the
    data channels.

    SFTP uses Stunnel(aka SSL) for each type of FTP-communication channel.
    Secure-FTP is braindead and broken.

    FTPS is an SSH application similar to SCP. FTPS is much more featured than

    Only FTPS can pass the PIX.

    In order to pass SFTP or Secure-FTP through a PIX you need:
    - Set passive mode on the client.
    - Create an access-list matching all TCP traffic to the server.
    - Use this access-list to inhibit any inspection.
    - PAT all data to this server.

    If you like to use active mode, you need a 1:1 NAT for your inside addresses.

    Have fun.
    Lutz Donnerhacke, Jan 9, 2007
  10. K.J. 44

    K.J. 44 Guest

    I did not realize there were so many different flavors. Well, the
    company I am trying to connect to told me it was an SFTP connection,
    however, there server is named ftps. What client should I use to
    connect to a FTPS connection? I am currently using WinSCP but getting
    that network error. I see 3 SYN packets headed to the IP of the server
    on port 22 but I only get a RST-ACK back from the server. Perhaps they
    are using one of the other flavors while I am trying to connect to FTPS
    on port 22? Maybe that is why the server responds with a RST-ACK? But
    if that was the case I would assume that the server would not respond
    at all.

    THanks for your help.
    K.J. 44, Jan 10, 2007
  11. Ask them.
    This are not flavors, this are completely different protocols. You are
    right, they use an other protocol.
    Lutz Donnerhacke, Jan 10, 2007
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.