Re: Encrypted FTP through a ASA
- From: tron@xxxxxxxxxxxxx (Matthias Scheler)
- Date: 29 Apr 2007 17:46:27 GMT
In article <4633a9bc$0$90274$14726298@xxxxxxxxxxxxxxx>,
M <ujjj@xxxxxxxxxxxxx> writes:
I have an internal FTP server on 192.168.1.2. It is configurated to use
SSL. It works fine on the internal local network but not from the outside.
My passive port range is: 2048 --> 3000
What am I missing in my configuration?
Nothing probably, it simply can't work (unless the NAT router performs
a nasty man-in-the-middle attack on the SSL connection).
An FTP server accepting a passive connection will open a TCP listener
port and tell the FTP client the IP address and port number. If the
FTP server is behind a NAT router this can't work because it will
tell the FTP client its internal IP address and local port number.
The NAT router must therefore understand the FTP protocol, create
a NAT mapping and rewrite the IP address and port number. That
NAT mapping will allow the FTP client to actually connect to
the FTP server.
In your setup the FTP connection is encrypted. The NAT router can
therefore not inspect it and not rewrite the IP address and port number.
The FTP client will therefore try to connect to 192.168.1.2 which
won't work.
Kind regards
--
Matthias Scheler http://zhadum.org.uk/
.
- Prev by Date: Re: Syslog to monitor traffic
- Next by Date: Re: Syslog to monitor traffic
- Previous by thread: Possibly purchasing ASA 5505
- Next by thread: Re: Encrypted FTP through a ASA
- Index(es):
Relevant Pages
|
