Register

Forgot Password

Site FAQ

Home > IT Answers > Security > FTP over SSL issue

Brunocl

215 pts.

FTP over SSL issue

SSL, FTPS, FTP, AS/400, V5R2, NAT, AIX

Hello Guys, I am going into an issue and I don't really know how to solve it. I am trying to estabilish FTP over SSL connection between a V5R2 AS400 and a AIX in a vendor company. The connection has been established NATing the IP address flowing the over the internet. The problem isL when I try to send a file and it opens the passive mode connection for data transfer, the AIX server responds with its local IP (192.168.xxx.xxx), not with its NATed IP. This make my connection not to work and I don't know what to do to solve it. I would appreciate some help. Thanks in advance

Software/Hardware used:
Software

ASKED: Aug 26 2009 10:19 PM GMT

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

RELATED QUESTIONS

Sonotsky

660 pts.

RATE THIS ANSWER

0
Click to Vote:

Perhaps I'm not understanding the problem, but this is working as designed (i.e., according to spec).

When you open a passive data connection to an FTP server, vanilla or SSLed, you're telling the remote host to forgo the process of connecting back to *your* machine with the PORT command, as the RFC and STD docs specify, and to open another port itself (i.e., on the remote host) for the data channel. Unless the remote machine is aware that it is directly connected to the Internet (or a dedicated connection, such as a frame relay circuit and whatnot) then all it can do is define the PASV response information using its own IP.

There's two ways around this: Have the remote FTPS host directly connected to the Internet (and make sure it's locked down tight), or arrange to have a firewall implemented between the 'net and this remote host, that is able to do packet inspection and do the address translation without the hosts at either end having to know anything about it.

I know that Nokia's firewalls do such translation, because it's how we make our non-Internet-connected transfer hosts available to our clients. I'm sure Nokia isn't the only one capable of doing this...

Last Answered: Aug 27 2009 2:57 PM GMT by Sonotsky

660 pts.

View History

Perhaps I'm not understanding the problem, but this is working as designed (i.e., according to spec).

When you open a passive data connection to an FTP server, vanilla or SSLed, you're telling the remote host to forgo the process of connecting back to *your* machine with the PORT command, as the RFC and STD docs specify, and to open another port itself (i.e., on the remote host) for the data channel.  Unless the remote machine is aware that it is directly connected to the Internet (or a dedicated connection, such as a frame relay circuit and whatnot) then all it can do is define the PASV response information using its own IP.

There's two ways around this:  Have the remote FTPS host directly connected to the Internet (and make sure it's locked down tight), or arrange to have a firewall implemented between the 'net and this remote host, that is able to do packet inspection and do the address translation without the hosts at either end having to know anything about it.

I know that Nokia's firewalls do such translation, because it's how we make our non-Internet-connected transfer hosts available to our clients.  I'm sure Nokia isn't the only one capable of doing this...

RSS - Discussions Help

Discuss This Answer:

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

Petkoa 1005 pts. | Aug 27 2009 7:07PM GMT

Hi Brunocl,

Probably you established FTP-session over ssh-tunnel? This is tricky, just because of the problem you encountered. There is a java-based ssh client (mindterm) which has a “helper” for FTP-tunneling, but I’m not sure could it be used on AS400 (not, most probably). Better use sftp or scp, which come wth ssh-suite and work over a single port unlike the FTP.

Good luck,

Petko A.

Brunocl 215 pts. | Aug 27 2009 10:27PM GMT

Hello guys,

Thanks for your quick answers. The problem is I am not using SSH because the AS400 version V5R2 does not support it. I am using the AS400 FTP over SSL native application. About the firewall, we have worked on that to perform the IP translation but as this is an encripted connection it is not able to “read”the package and make the translation properly. Any other ideas?

Petkoa 1005 pts. | Aug 28 2009 9:51PM GMT

Any VPN solution, then?

BR,

Petko A.

Brunocl 215 pts. | Sep 3 2009 2:31PM GMT

Hi Petkoa,

No way. The customer wants to use a secure FTP connection. Does anyone knows any third party software to provide SSH on V5R2?

Petkoa 1005 pts. | Sep 4 2009 9:14PM GMT

Hi,

googled for “SSH on V5R2″ and got several pages of links - you can try them either. I found these useful:

<a href="http://www.ibmsystemsmag.com/print/print.aspx?print_page=%2Fibmi%2Fjuly05%2Fdeveloper%2F8845printp1.aspx&string_referer=/ibmi/july05/developer/8845p4.aspx" title="http://www.ibmsystemsmag.com/print/print.aspx?print_page=%2Fibmi%2Fjuly05%2Fdeveloper%2F8845printp1.aspx&string_referer=/ibmi/july05/developer/8845p4.aspx" target="_blank">http://www.ibmsystemsmag.com/print/print…</a>

and

<a href="http://forums.systeminetwork.com/isnetforums/showthread.php?t=48939" title="http://forums.systeminetwork.com/isnetforums/showthread.php?t=48939" target="_blank">http://forums.systeminetwork.com/isnetfo…</a>

Good luck,

Petko

Ask a Question

Browse IT Answers by Topic

Community Blog | About Us | Contact Us | FAQ | Terms of Use | DMCA Policy

TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organization's IT projects - with its network of technology-specific Web sites, events and magazines.

All Rights Reserved, Copyright 1999-2009, TechTarget | Read our Privacy Policy | Site Map