Ftp server behind firewall and vpn tunnel
I have a FTP server called Ftptran sitting behind a PIX "interface general"
a. My network diagram fig 1
Traffic from the ftpserver should pass the pix to the VPN then the destination. I'm having problem with the tunnel , the problem is with my local host " Ftptran"
Trouble shoot I did so far , see fig 2
Either a ping or traceroute go past the server.
b. attached is the traceroute from the Ftptran.
I issed the command Pix: debug icmp trace
as you can see, no icmp is passing out of the ftptran or through the firewall
My ?. how can I configure the tracerout th pass the PIx interface and I need help
The tunnel will not create because the remote site "host" is not able to connect to my host "ftptan"
attached is my pix file
Fig 3
My-pix.txt
tracerout.txt
My-pix.txt
a. My network diagram fig 1
Traffic from the ftpserver should pass the pix to the VPN then the destination. I'm having problem with the tunnel , the problem is with my local host " Ftptran"
Trouble shoot I did so far , see fig 2
Either a ping or traceroute go past the server.
b. attached is the traceroute from the Ftptran.
I issed the command Pix: debug icmp trace
as you can see, no icmp is passing out of the ftptran or through the firewall
My ?. how can I configure the tracerout th pass the PIx interface and I need help
The tunnel will not create because the remote site "host" is not able to connect to my host "ftptan"
attached is my pix file
Fig 3
My-pix.txt
tracerout.txt
My-pix.txt
Voltz-dk
It seems you skipped the diagram and posted the config twice. And within that it seems some info is missing :)
ASKER
I am sorry, this is the Network diagram
My-Diagram.txt
My-Diagram.txt
Ok, these 2 are at least wrong:
no static (inside,general) 10.40.15.20 10.40.15.20 netmask 255.255.255.255 0 0
no static (inside,general) 10.40.15.0 10.40.15.0 netmask 255.255.255.0 0 0
And you seem to lack a translation for the network you are trying to reach:
static (inside,general) 170.138.220.0 170.138.220.0 netmask 255.255.255.0
no static (inside,general) 10.40.15.20 10.40.15.20 netmask 255.255.255.255 0 0
no static (inside,general) 10.40.15.0 10.40.15.0 netmask 255.255.255.0 0 0
And you seem to lack a translation for the network you are trying to reach:
static (inside,general) 170.138.220.0 170.138.220.0 netmask 255.255.255.0
ASKER
I should remove this 2
no static (inside,general) 10.40.15.20 10.40.15.20 netmask 255.255.255.255 0 0
no static (inside,general) 10.40.15.0 10.40.15.0 netmask 255.255.255.0 0 0
don't i need a translation from inside interface to general interface ?.
I added this
static (inside,general) 170.138.220.0 170.138.220.0 netmask 255.255.255.0
no static (inside,general) 10.40.15.20 10.40.15.20 netmask 255.255.255.255 0 0
no static (inside,general) 10.40.15.0 10.40.15.0 netmask 255.255.255.0 0 0
don't i need a translation from inside interface to general interface ?.
I added this
static (inside,general) 170.138.220.0 170.138.220.0 netmask 255.255.255.0
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for the clerification.
I have removed both static command.
I will have the remote site to fire-up the VPN tunnel with they gets to the office this afternoon.
2). When I issued the command traceroute 178.132.220.16 { is the gateway of the remove site) from my Ftptran ( 10.40.15.20 ---> 68.68.68.238) and then issue on my Pix: debug icmp trace,. The trace command does nothing and also no packet on the Pix log.
The reason I do the trace command is to see if the packets go through the VPN concentrator or through the Peremiter Router into the Internet.
The question is, how can I have the trace command to work.
Thanks
I have removed both static command.
I will have the remote site to fire-up the VPN tunnel with they gets to the office this afternoon.
2). When I issued the command traceroute 178.132.220.16 { is the gateway of the remove site) from my Ftptran ( 10.40.15.20 ---> 68.68.68.238) and then issue on my Pix: debug icmp trace,. The trace command does nothing and also no packet on the Pix log.
The reason I do the trace command is to see if the packets go through the VPN concentrator or through the Peremiter Router into the Internet.
The question is, how can I have the trace command to work.
Thanks
It seems the FTP server is a unix, so you need the -I or whatever makes it into ICMP at least.
And if you are tracing inbound, you should also add this cmd to PIX:
fixup proto icmp error
And if you are tracing inbound, you should also add this cmd to PIX:
fixup proto icmp error
ASKER
I will try it latter after my meeting.