Solved

Ftp server behind  firewall and vpn tunnel

Posted on 2008-06-10
8
448 Views
Last Modified: 2011-10-19
I have a FTP server called Ftptran sitting behind a PIX "interface general"
a. My network diagram   fig 1
Traffic from the ftpserver should pass the pix to the VPN then the destination. I'm having problem with the tunnel , the problem is with my local host " Ftptran"
                          Trouble shoot  I did so far , see   fig 2
Either a ping or traceroute go past the server.
b. attached is the traceroute from the Ftptran.  
  I issed the command Pix: debug icmp trace
as you can see, no icmp is passing out of the ftptran or through the firewall

My ?. how can I configure the tracerout th pass the PIx interface and I need help
The tunnel will not create because the remote site  "host" is not able to connect to my host "ftptan"

attached is my pix file
Fig 3



My-pix.txt
tracerout.txt
My-pix.txt
0
Comment
Question by:TDalago
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
8 Comments
 
LVL 15

Expert Comment

by:Voltz-dk
ID: 21755979
It seems you skipped the diagram and posted the config twice.  And within that it seems some info is missing :)
0
 

Author Comment

by:TDalago
ID: 21756145
I am sorry, this is the Network diagram
My-Diagram.txt
0
 
LVL 15

Expert Comment

by:Voltz-dk
ID: 21758453
Ok, these 2 are at least wrong:

no static (inside,general) 10.40.15.20 10.40.15.20 netmask 255.255.255.255 0 0
no static (inside,general) 10.40.15.0 10.40.15.0 netmask 255.255.255.0 0 0

And you seem to lack a translation for the network you are trying to reach:

static (inside,general) 170.138.220.0 170.138.220.0 netmask 255.255.255.0

0
Why You Need a DevOps Toolchain

IT needs to deliver services with more agility and velocity. IT must roll out application features and innovations faster to keep up with customer demands, which is where a DevOps toolchain steps in. View the infographic to see why you need a DevOps toolchain.

 

Author Comment

by:TDalago
ID: 21759633
I should remove this 2
no static (inside,general) 10.40.15.20 10.40.15.20 netmask 255.255.255.255 0 0
no static (inside,general) 10.40.15.0 10.40.15.0 netmask 255.255.255.0 0 0
don't i need a translation from inside interface to general interface ?.

I added this
static (inside,general) 170.138.220.0 170.138.220.0 netmask 255.255.255.0
0
 
LVL 15

Accepted Solution

by:
Voltz-dk earned 125 total points
ID: 21759846
>don't i need a translation from inside interface to general interface ?
It depends what you mean..  You need a translation to get from inside to general, yes.  But not those 2 lines.

First of, the 1st line is just a subset of the 2nd line - so if you needed it, you'd only need the 2nd one.
And what the static says is that traffic from inside -> general, sourced with 10.40.15 should stick as 10.40.15
But that's quite wrong, since 10.40.15 isn't located at the inside at all..

In most cases you don't need a translation for the source when we are talking inbound connections (from less secure to more secure).
But you need a translation (and non-dynamic at that) for the destination.  These are usually done with statics.

Here you move from dmz to inside, which is inbound.  So you need a translation for the network you are trying to reach (the one you added above).
0
 

Author Comment

by:TDalago
ID: 21760150
Thanks for the clerification.
I have removed both static  command.
I will have the remote site to fire-up the VPN tunnel with they gets to the office this afternoon.

2). When I issued the command traceroute 178.132.220.16 { is the gateway of the remove site) from my Ftptran ( 10.40.15.20 ---> 68.68.68.238)  and then issue on my Pix: debug icmp trace,. The trace command does nothing and also no packet on the Pix log.

The reason I do the trace command is to see if the packets go through the VPN concentrator  or through the Peremiter Router into the Internet.
The question is, how can I have the trace command  to work.
Thanks
0
 
LVL 15

Expert Comment

by:Voltz-dk
ID: 21760587
It seems the FTP server is a unix, so you need the -I or whatever makes it into ICMP at least.
And if you are tracing inbound, you should also add this cmd to PIX:

fixup proto icmp error
0
 

Author Comment

by:TDalago
ID: 21760711
I will try it latter after my meeting.
0

Featured Post

Retailers - Is your network secure?

With the prevalence of social media & networking tools, for retailers, reputation is critical. Have you considered the impact your network security could have in your customer's experience? Learn more in our Retail Security Resource Kit Today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
Many of the companies I’ve worked with have embraced cloud solutions due to their desire to “get out of the datacenter business.” The ability to achieve better security and availability, and the speed with which they are able to deploy, is far grea…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

729 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question