Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Ftp server behind  firewall and vpn tunnel

Posted on 2008-06-10
8
Medium Priority
?
458 Views
Last Modified: 2011-10-19
I have a FTP server called Ftptran sitting behind a PIX "interface general"
a. My network diagram   fig 1
Traffic from the ftpserver should pass the pix to the VPN then the destination. I'm having problem with the tunnel , the problem is with my local host " Ftptran"
                          Trouble shoot  I did so far , see   fig 2
Either a ping or traceroute go past the server.
b. attached is the traceroute from the Ftptran.  
  I issed the command Pix: debug icmp trace
as you can see, no icmp is passing out of the ftptran or through the firewall

My ?. how can I configure the tracerout th pass the PIx interface and I need help
The tunnel will not create because the remote site  "host" is not able to connect to my host "ftptan"

attached is my pix file
Fig 3



My-pix.txt
tracerout.txt
My-pix.txt
0
Comment
Question by:TDalago
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
8 Comments
 
LVL 15

Expert Comment

by:Voltz-dk
ID: 21755979
It seems you skipped the diagram and posted the config twice.  And within that it seems some info is missing :)
0
 

Author Comment

by:TDalago
ID: 21756145
I am sorry, this is the Network diagram
My-Diagram.txt
0
 
LVL 15

Expert Comment

by:Voltz-dk
ID: 21758453
Ok, these 2 are at least wrong:

no static (inside,general) 10.40.15.20 10.40.15.20 netmask 255.255.255.255 0 0
no static (inside,general) 10.40.15.0 10.40.15.0 netmask 255.255.255.0 0 0

And you seem to lack a translation for the network you are trying to reach:

static (inside,general) 170.138.220.0 170.138.220.0 netmask 255.255.255.0

0
Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!

 

Author Comment

by:TDalago
ID: 21759633
I should remove this 2
no static (inside,general) 10.40.15.20 10.40.15.20 netmask 255.255.255.255 0 0
no static (inside,general) 10.40.15.0 10.40.15.0 netmask 255.255.255.0 0 0
don't i need a translation from inside interface to general interface ?.

I added this
static (inside,general) 170.138.220.0 170.138.220.0 netmask 255.255.255.0
0
 
LVL 15

Accepted Solution

by:
Voltz-dk earned 375 total points
ID: 21759846
>don't i need a translation from inside interface to general interface ?
It depends what you mean..  You need a translation to get from inside to general, yes.  But not those 2 lines.

First of, the 1st line is just a subset of the 2nd line - so if you needed it, you'd only need the 2nd one.
And what the static says is that traffic from inside -> general, sourced with 10.40.15 should stick as 10.40.15
But that's quite wrong, since 10.40.15 isn't located at the inside at all..

In most cases you don't need a translation for the source when we are talking inbound connections (from less secure to more secure).
But you need a translation (and non-dynamic at that) for the destination.  These are usually done with statics.

Here you move from dmz to inside, which is inbound.  So you need a translation for the network you are trying to reach (the one you added above).
0
 

Author Comment

by:TDalago
ID: 21760150
Thanks for the clerification.
I have removed both static  command.
I will have the remote site to fire-up the VPN tunnel with they gets to the office this afternoon.

2). When I issued the command traceroute 178.132.220.16 { is the gateway of the remove site) from my Ftptran ( 10.40.15.20 ---> 68.68.68.238)  and then issue on my Pix: debug icmp trace,. The trace command does nothing and also no packet on the Pix log.

The reason I do the trace command is to see if the packets go through the VPN concentrator  or through the Peremiter Router into the Internet.
The question is, how can I have the trace command  to work.
Thanks
0
 
LVL 15

Expert Comment

by:Voltz-dk
ID: 21760587
It seems the FTP server is a unix, so you need the -I or whatever makes it into ICMP at least.
And if you are tracing inbound, you should also add this cmd to PIX:

fixup proto icmp error
0
 

Author Comment

by:TDalago
ID: 21760711
I will try it latter after my meeting.
0

Featured Post

Ask an Anonymous Question!

Don't feel intimidated by what you don't know. Ask your question anonymously. It's easy! Learn more and upgrade.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There’s a movement in Information Technology (IT), and while it’s hard to define, it is gaining momentum. Some call it “stream-lined IT;” others call it “thin-model IT.”
Considering cloud tradeoffs and determining the right mix for your organization.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question