Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

FTP/SSL Problem Behind Checkpoint

Status
Not open for further replies.
rmmagow

rmmagow

Technical User
Jan 2, 2002
93
US
R61 running on a Nortel Alteon platform.
I am the "client" side. I am using CuteFTP as the client code. I am trying to connect to an FTP server hosted by a state agency. I think it is an IBM mainframe but it doesn't matter I don't think. CuteFTP is set up to connect FTP with SSL (AUTH SSL- Explicit) over port 21. A Straight connection, the client machine on DSL connecting to the state agency's FTP server works fine. If I try to run the client behind the firewall, using the firewall's hide-behind address it fails with SSL:Error in negotiating SSL Connection. I've tried virtually everything I can think of for services, ftp-bidir, port based, PASV, any any any ETC ETC. No DROPS in the logs but I am getting some warnings from Smart Defense. Nothing in SD is set up to drop anything but....
I've even tried to setup the client so it would NAT to a real outside IP address when connecting to the server at the state agency. They are unable to help me and will not change anything on their side. I've Googled this problem and apparently it really is a problem, but I have not seen any kind of solution proposed.
I pretty badly lost here and hope one of our experts can shed a little light on what's going on and how I might be able to fix this problem.
Thanks Very Much.
 
Sort by date Sort by votes
Anybody there?? I really need help here.
THANK YOU!!!
 
Upvote 0 Downvote
What are the warnings SD is biving you? It might not be dropping on your side, but they may be dropping it.
 
Upvote 0 Downvote
Hmm, didn't think of that. I'll send the exact message I'm seeing in the morning. State governments are DIFFICULT to deal with, almost zero help tryng to figure out what's going on here. My sniffer traces didn't help much since it's failing at the hand-shake level of key exchange.
THANKS!
 
Upvote 0 Downvote
You may want to see if there is a setting within the FTP application that won't trigger the alerts in SD. CP is very particular about how services work through it, if it varies fom the RFC then CP doesn't like it. You may need to look at a different FTP application. The state agency probably won't do much if it's being dropped on their side, I wouldn't open up my FW to allow and application through that was setting off alerts of potential attacks.
good luck
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

intel233
  • Locked
  • Question
ASA5510 - SSL Cert
Replies
0
Views
585
intel233
intel233
Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
982
Shmid
Shmid
mattbarkerlfc
  • Locked
  • Question
Checkpoint 2200 subnet overlap problem
Replies
0
Views
201
mattbarkerlfc
mattbarkerlfc
kythri
  • Locked
  • Question
Restrict access to SSL VPN by IP (ASA 5540 - 8.4(7))
Replies
0
Views
204
kythri
kythri
ITSUPPORTIT
  • Locked
  • Question
VPN from ASA 5510 and RV215W problem
Replies
0
Views
215
ITSUPPORTIT
ITSUPPORTIT

Part and Inventory Search

Sponsor

Back
Top