Solved

Ftp server behind  firewall and vpn tunnel

Posted on 2008-06-10
8
437 Views
Last Modified: 2011-10-19
I have a FTP server called Ftptran sitting behind a PIX "interface general"
a. My network diagram   fig 1
Traffic from the ftpserver should pass the pix to the VPN then the destination. I'm having problem with the tunnel , the problem is with my local host " Ftptran"
                          Trouble shoot  I did so far , see   fig 2
Either a ping or traceroute go past the server.
b. attached is the traceroute from the Ftptran.  
  I issed the command Pix: debug icmp trace
as you can see, no icmp is passing out of the ftptran or through the firewall

My ?. how can I configure the tracerout th pass the PIx interface and I need help
The tunnel will not create because the remote site  "host" is not able to connect to my host "ftptan"

attached is my pix file
Fig 3



My-pix.txt
tracerout.txt
My-pix.txt
0
Comment
Question by:TDalago
  • 4
  • 4
8 Comments
 
LVL 15

Expert Comment

by:Voltz-dk
Comment Utility
It seems you skipped the diagram and posted the config twice.  And within that it seems some info is missing :)
0
 

Author Comment

by:TDalago
Comment Utility
I am sorry, this is the Network diagram
My-Diagram.txt
0
 
LVL 15

Expert Comment

by:Voltz-dk
Comment Utility
Ok, these 2 are at least wrong:

no static (inside,general) 10.40.15.20 10.40.15.20 netmask 255.255.255.255 0 0
no static (inside,general) 10.40.15.0 10.40.15.0 netmask 255.255.255.0 0 0

And you seem to lack a translation for the network you are trying to reach:

static (inside,general) 170.138.220.0 170.138.220.0 netmask 255.255.255.0

0
 

Author Comment

by:TDalago
Comment Utility
I should remove this 2
no static (inside,general) 10.40.15.20 10.40.15.20 netmask 255.255.255.255 0 0
no static (inside,general) 10.40.15.0 10.40.15.0 netmask 255.255.255.0 0 0
don't i need a translation from inside interface to general interface ?.

I added this
static (inside,general) 170.138.220.0 170.138.220.0 netmask 255.255.255.0
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 15

Accepted Solution

by:
Voltz-dk earned 125 total points
Comment Utility
>don't i need a translation from inside interface to general interface ?
It depends what you mean..  You need a translation to get from inside to general, yes.  But not those 2 lines.

First of, the 1st line is just a subset of the 2nd line - so if you needed it, you'd only need the 2nd one.
And what the static says is that traffic from inside -> general, sourced with 10.40.15 should stick as 10.40.15
But that's quite wrong, since 10.40.15 isn't located at the inside at all..

In most cases you don't need a translation for the source when we are talking inbound connections (from less secure to more secure).
But you need a translation (and non-dynamic at that) for the destination.  These are usually done with statics.

Here you move from dmz to inside, which is inbound.  So you need a translation for the network you are trying to reach (the one you added above).
0
 

Author Comment

by:TDalago
Comment Utility
Thanks for the clerification.
I have removed both static  command.
I will have the remote site to fire-up the VPN tunnel with they gets to the office this afternoon.

2). When I issued the command traceroute 178.132.220.16 { is the gateway of the remove site) from my Ftptran ( 10.40.15.20 ---> 68.68.68.238)  and then issue on my Pix: debug icmp trace,. The trace command does nothing and also no packet on the Pix log.

The reason I do the trace command is to see if the packets go through the VPN concentrator  or through the Peremiter Router into the Internet.
The question is, how can I have the trace command  to work.
Thanks
0
 
LVL 15

Expert Comment

by:Voltz-dk
Comment Utility
It seems the FTP server is a unix, so you need the -I or whatever makes it into ICMP at least.
And if you are tracing inbound, you should also add this cmd to PIX:

fixup proto icmp error
0
 

Author Comment

by:TDalago
Comment Utility
I will try it latter after my meeting.
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now