• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 462
  • Last Modified:

Ftp server behind firewall and vpn tunnel

I have a FTP server called Ftptran sitting behind a PIX "interface general"
a. My network diagram   fig 1
Traffic from the ftpserver should pass the pix to the VPN then the destination. I'm having problem with the tunnel , the problem is with my local host " Ftptran"
                          Trouble shoot  I did so far , see   fig 2
Either a ping or traceroute go past the server.
b. attached is the traceroute from the Ftptran.  
  I issed the command Pix: debug icmp trace
as you can see, no icmp is passing out of the ftptran or through the firewall

My ?. how can I configure the tracerout th pass the PIx interface and I need help
The tunnel will not create because the remote site  "host" is not able to connect to my host "ftptan"

attached is my pix file
Fig 3



My-pix.txt
tracerout.txt
My-pix.txt
0
TDalago
Asked:
TDalago
  • 4
  • 4
1 Solution
 
Voltz-dkCommented:
It seems you skipped the diagram and posted the config twice.  And within that it seems some info is missing :)
0
 
TDalagoAuthor Commented:
I am sorry, this is the Network diagram
My-Diagram.txt
0
 
Voltz-dkCommented:
Ok, these 2 are at least wrong:

no static (inside,general) 10.40.15.20 10.40.15.20 netmask 255.255.255.255 0 0
no static (inside,general) 10.40.15.0 10.40.15.0 netmask 255.255.255.0 0 0

And you seem to lack a translation for the network you are trying to reach:

static (inside,general) 170.138.220.0 170.138.220.0 netmask 255.255.255.0

0
The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

 
TDalagoAuthor Commented:
I should remove this 2
no static (inside,general) 10.40.15.20 10.40.15.20 netmask 255.255.255.255 0 0
no static (inside,general) 10.40.15.0 10.40.15.0 netmask 255.255.255.0 0 0
don't i need a translation from inside interface to general interface ?.

I added this
static (inside,general) 170.138.220.0 170.138.220.0 netmask 255.255.255.0
0
 
Voltz-dkCommented:
>don't i need a translation from inside interface to general interface ?
It depends what you mean..  You need a translation to get from inside to general, yes.  But not those 2 lines.

First of, the 1st line is just a subset of the 2nd line - so if you needed it, you'd only need the 2nd one.
And what the static says is that traffic from inside -> general, sourced with 10.40.15 should stick as 10.40.15
But that's quite wrong, since 10.40.15 isn't located at the inside at all..

In most cases you don't need a translation for the source when we are talking inbound connections (from less secure to more secure).
But you need a translation (and non-dynamic at that) for the destination.  These are usually done with statics.

Here you move from dmz to inside, which is inbound.  So you need a translation for the network you are trying to reach (the one you added above).
0
 
TDalagoAuthor Commented:
Thanks for the clerification.
I have removed both static  command.
I will have the remote site to fire-up the VPN tunnel with they gets to the office this afternoon.

2). When I issued the command traceroute 178.132.220.16 { is the gateway of the remove site) from my Ftptran ( 10.40.15.20 ---> 68.68.68.238)  and then issue on my Pix: debug icmp trace,. The trace command does nothing and also no packet on the Pix log.

The reason I do the trace command is to see if the packets go through the VPN concentrator  or through the Peremiter Router into the Internet.
The question is, how can I have the trace command  to work.
Thanks
0
 
Voltz-dkCommented:
It seems the FTP server is a unix, so you need the -I or whatever makes it into ICMP at least.
And if you are tracing inbound, you should also add this cmd to PIX:

fixup proto icmp error
0
 
TDalagoAuthor Commented:
I will try it latter after my meeting.
0

Featured Post

IT Degree with Certifications Included

Aspire to become a network administrator, network security analyst, or computer and information systems manager? Make the most of your experience as an IT professional by earning your B.S. in Network Operations and Security.

  • 4
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now