 |
|
| Register | Practice Exams | TechNotes | Members List | Search | Today's Posts | Mark Forums Read |
| |||||||
 |
| | Thread Tools |
| Senior Member Registered Member  Join Date: Aug 2005 Location: Cleveland, Ohio
Posts: 202
Certifications: HDSCP, MCT, MCSE, MCDBA, CWSP, MCSA, CCNA, CWNA, MCDST, CNST, CIW-A, CWST, CST, A+, Network+, iNet+, Security+     |
 Windows Server 2008 FTPS through Cisco PIX 515e We have a Cisco PIX 515e and we would like to use FTPS in Windows Server 2008. So far we have had difficulty getting traffic through our firewall. We opened a number of ports mentioned in Microsoft documents but we still cannot establish a connection. Any thoughts? __________________ "You can never know everything and part of what you know is always wrong. Perhaps even the most important part. A portion of wisdom lies in knowing that. A portion of courage lies in going on anyway. " - Lan, Winter's Heart by Robert Jordan | ||
|  |
|
| Nidhoggr, the Net Serpent Registered Member  Join Date: Nov 2007 Location: FL
Posts: 755
Certifications: MCITP:EA,EMA MCSE:Messaging 2003, MCSE:NT4, MCTS, CCNA, EMCPA |
Have you created a rule on the Windows firewall to allow for the FTP traffic? How to Configure Windows Firewall for a Passive Mode FTP Server Overview of the Windows Server 2008 Firewall with Advanced Security Part 2: Inbound and Outbound Firewall Rules You may also need to make a change to IE How to configure Internet Explorer to use both the FTP PORT mode and the FTP PASV mode in the Windows Server 2003 Family | ||
| |
| Senior Member Registered Member Join Date: Nov 2008 Location: GC, Australia
Posts: 105
Certifications: Navini Cert II, III, MCTS, MCITP:SA |
I would do the following Test via a local computer if you can est a connect to the Windows Server via FTP. This would discount if the issue is either a cisco related issue or a Windows related issue. Then see if you have any drop logs on the PIX for port 21 (FTP) You should be able to find if you enable some verbose logging while attempting the connection. Doing these two things should limit the troubleshooting to finding out where your stoppage is. If you can't get the Windows server to est a FTP session, work at the firewall until it can, then re-setup your original connection again and test again. | ||
|
| |
| Senior Member Registered Member Join Date: Aug 2005 Location: Cleveland, Ohio
Posts: 202
Certifications: HDSCP, MCT, MCSE, MCDBA, CWSP, MCSA, CCNA, CWNA, MCDST, CNST, CIW-A, CWST, CST, A+, Network+, iNet+, Security+ |
Yes. we are able to connect to it from a host behind the firewall. That is why I am trying to troubleshoot the firewall. Here are my client settings that work on the inside. Port 21 Connection: AUTH SSL SSL Options: SSL Listings and SSL Transfer Windows SSL. I am using Core FTP Lite. I try it on the outside and I get "cannot establish connection" __________________ "You can never know everything and part of what you know is always wrong. Perhaps even the most important part. A portion of wisdom lies in knowing that. A portion of courage lies in going on anyway. " - Lan, Winter's Heart by Robert Jordan | ||
|
| |
| Senior Member Registered Member Join Date: Aug 2005 Location: Cleveland, Ohio
Posts: 202
Certifications: HDSCP, MCT, MCSE, MCDBA, CWSP, MCSA, CCNA, CWNA, MCDST, CNST, CIW-A, CWST, CST, A+, Network+, iNet+, Security+ |
I am assuming so but I do not know how to get around it. I configured the FTP Firewall support settings to the external IP address with a port range of 4000-4005 in IIS7. I never get past the SSL negotiation from the outside. I assume that I need to change the NAT or ACL on the firewall but I am not sure what the setting should be. Here is my firewall NAT and ACL with the internal IP changed to [INTERNAL IP] and outside IP to [OUTSIDE IP] static (inside,outside) [OUTSIDE IP] [INTERNAL IP] netmask 255.255.255.255 access-list outside_in extended permit tcp any host [OUTSIDE IP] object-group ftp log access-list outside_in extended permit tcp any host [OUTSIDE IP] object-group ftps log I put the ports I wanted to open in the ftps service group. This service group contains 4000-4005, and 989-991. The ftp service group has 20 and 21. __________________ "You can never know everything and part of what you know is always wrong. Perhaps even the most important part. A portion of wisdom lies in knowing that. A portion of courage lies in going on anyway. " - Lan, Winter's Heart by Robert Jordan | ||
|
| |
| Senior Member Registered Member Join Date: Aug 2005 Location: Cleveland, Ohio
Posts: 202
Certifications: HDSCP, MCT, MCSE, MCDBA, CWSP, MCSA, CCNA, CWNA, MCDST, CNST, CIW-A, CWST, CST, A+, Network+, iNet+, Security+ |
My outside FTP connection that fails looks like this: connect socket #3728 to [OUTSIDE IP], port 21 220-Microsoft FTP Service 220-Microsoft FTP Service AUTH SSL 234 AUTH command ok. Expecting TLS Negotiation. Error reading secure data from the server No response from server... The inside one that works looks like this: Started on Wednesday May 06, 2009 at 11:55:AM Connect socket #440 to [INSIDE IP], port 21... 220-Microsoft FTP Service 220-Microsoft FTP Service AUTH SSL 234 AUTH command ok. Expecting TLS Negotiation. SSLv3 (RC4/SHA), 128 bits USER [USERNAME] 331 Password required for [USERNAME]. PASS ********** 230-Welcome to the Jungle 230 User logged in. SYST 215 Windows_NT Keep alive off... PWD 257 "/" is current directory. PBSZ 0 200 PBSZ command successful. PROT P 200 PROT command successful. PORT 192,168,4,12,69,87 200 PORT command successful. LIST __________________ "You can never know everything and part of what you know is always wrong. Perhaps even the most important part. A portion of wisdom lies in knowing that. A portion of courage lies in going on anyway. " - Lan, Winter's Heart by Robert Jordan Last edited by evanderburg; 05-06-2009 at 04:02 PM. Reason: remove private data | ||
|
| |
| Gold Member Registered Member  Join Date: Nov 2005 Location: NC
Posts: 2,491
Certifications: MCSE (Messaging and Security 2000 & 2003); MCTS:E2K7; VCP; Security+; A+; EMCPA; CCNA (expired). |
What FTP Client are you using? __________________ IT guy since 12/00 Next on my list to conquer: MCITP:EM; VCP4... then taking a break. | ||
|
| |
| Senior Member Registered Member Join Date: Aug 2005 Location: Cleveland, Ohio
Posts: 202
Certifications: HDSCP, MCT, MCSE, MCDBA, CWSP, MCSA, CCNA, CWNA, MCDST, CNST, CIW-A, CWST, CST, A+, Network+, iNet+, Security+ |
Core FTP Lite __________________ "You can never know everything and part of what you know is always wrong. Perhaps even the most important part. A portion of wisdom lies in knowing that. A portion of courage lies in going on anyway. " - Lan, Winter's Heart by Robert Jordan | ||
|
| |
| wibble! Registered Member  Join Date: Jun 2007 Location: Manchester, UK
Posts: 648
Certifications: MCSE 2003; MCSA 2003; MCTS:620,649,652; Security+; Commvault CA |
Interesting problem. FTPS is a PITA to get to work over certain firewalls, most modern ones drop the connection as they can't inspect the ftp-control stream. (Pretty much like trying to get standard FTP to work over some firewalls I suppose). However, you seem to be on the right track reading what you've done. Have a read through the following, and tweak the client and server side settings for the SSL encryption options at various stages to see what does and doesn't work. (He is using the same ftp client as you have too). Robert McMurray's Blog [MSFT] I've also linked a few docs I found on my travels that you have probably seen but may help others in the future: How to configure the PIX Firewall to support FTP over SSL - Ciscowiki Using FTP Over SSL : FTP 7 for IIS 7.0 : Publishing Content to Web Sites : The Official Microsoft IIS Site __________________ WIP: VCP-310, 70-647 Last edited by bertieb; 05-07-2009 at 01:27 PM. | ||
|
| |
| Junior Member Registered Member Join Date: Jun 2009
Posts: 1
|
Disabling IPv6 on Windows 2008 server solved my PIX problem I just solved a similar problem by disabling IPv6 on the server. The PIX was giving SYN timeouts in response to IExplorer traffic. It also would not allow pinging even though other W2K servers and XP computers on the network could ping through. How do I disable IPv6 in Windows Vista and Windows Server 2008? - Windows Live Disable IPv6 in Windows Server 20008 Full & Core installation | Windows Reference | ||
|
| |
| Senior Member Registered Member  Join Date: Jan 2008 Location: Deforest, WI
Posts: 1,018
Certifications: B.S. Technology Mgmt., MCTS: Vista Configuration, MCTS: Windows 7, Configuring |
Did you enter in the external IP address of your firewall in IIS so the passive connections don't try to connect to the internal IP? | ||
|
| |
| Bookmarks |
 |
|
« Previous Thread
|
Next Thread »
| Thread Tools | |
| |
All times are GMT. The time now is 02:31 PM.
