Solved

Ftp server behind  firewall and vpn tunnel

Posted on 2008-06-10
8
446 Views
Last Modified: 2011-10-19
I have a FTP server called Ftptran sitting behind a PIX "interface general"
a. My network diagram   fig 1
Traffic from the ftpserver should pass the pix to the VPN then the destination. I'm having problem with the tunnel , the problem is with my local host " Ftptran"
                          Trouble shoot  I did so far , see   fig 2
Either a ping or traceroute go past the server.
b. attached is the traceroute from the Ftptran.  
  I issed the command Pix: debug icmp trace
as you can see, no icmp is passing out of the ftptran or through the firewall

My ?. how can I configure the tracerout th pass the PIx interface and I need help
The tunnel will not create because the remote site  "host" is not able to connect to my host "ftptan"

attached is my pix file
Fig 3



My-pix.txt
tracerout.txt
My-pix.txt
0
Comment
Question by:TDalago
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
8 Comments
 
LVL 15

Expert Comment

by:Voltz-dk
ID: 21755979
It seems you skipped the diagram and posted the config twice.  And within that it seems some info is missing :)
0
 

Author Comment

by:TDalago
ID: 21756145
I am sorry, this is the Network diagram
My-Diagram.txt
0
 
LVL 15

Expert Comment

by:Voltz-dk
ID: 21758453
Ok, these 2 are at least wrong:

no static (inside,general) 10.40.15.20 10.40.15.20 netmask 255.255.255.255 0 0
no static (inside,general) 10.40.15.0 10.40.15.0 netmask 255.255.255.0 0 0

And you seem to lack a translation for the network you are trying to reach:

static (inside,general) 170.138.220.0 170.138.220.0 netmask 255.255.255.0

0
Simple, centralized multimedia control

Watch and learn to see how ATEN provided an easy and effective way for three jointly-owned pubs to control the 60 televisions located across their three venues utilizing the ATEN Control System, Modular Matrix Switch and HDBaseT extenders.

 

Author Comment

by:TDalago
ID: 21759633
I should remove this 2
no static (inside,general) 10.40.15.20 10.40.15.20 netmask 255.255.255.255 0 0
no static (inside,general) 10.40.15.0 10.40.15.0 netmask 255.255.255.0 0 0
don't i need a translation from inside interface to general interface ?.

I added this
static (inside,general) 170.138.220.0 170.138.220.0 netmask 255.255.255.0
0
 
LVL 15

Accepted Solution

by:
Voltz-dk earned 125 total points
ID: 21759846
>don't i need a translation from inside interface to general interface ?
It depends what you mean..  You need a translation to get from inside to general, yes.  But not those 2 lines.

First of, the 1st line is just a subset of the 2nd line - so if you needed it, you'd only need the 2nd one.
And what the static says is that traffic from inside -> general, sourced with 10.40.15 should stick as 10.40.15
But that's quite wrong, since 10.40.15 isn't located at the inside at all..

In most cases you don't need a translation for the source when we are talking inbound connections (from less secure to more secure).
But you need a translation (and non-dynamic at that) for the destination.  These are usually done with statics.

Here you move from dmz to inside, which is inbound.  So you need a translation for the network you are trying to reach (the one you added above).
0
 

Author Comment

by:TDalago
ID: 21760150
Thanks for the clerification.
I have removed both static  command.
I will have the remote site to fire-up the VPN tunnel with they gets to the office this afternoon.

2). When I issued the command traceroute 178.132.220.16 { is the gateway of the remove site) from my Ftptran ( 10.40.15.20 ---> 68.68.68.238)  and then issue on my Pix: debug icmp trace,. The trace command does nothing and also no packet on the Pix log.

The reason I do the trace command is to see if the packets go through the VPN concentrator  or through the Peremiter Router into the Internet.
The question is, how can I have the trace command  to work.
Thanks
0
 
LVL 15

Expert Comment

by:Voltz-dk
ID: 21760587
It seems the FTP server is a unix, so you need the -I or whatever makes it into ICMP at least.
And if you are tracing inbound, you should also add this cmd to PIX:

fixup proto icmp error
0
 

Author Comment

by:TDalago
ID: 21760711
I will try it latter after my meeting.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
OpenVPN is a great open source VPN server that is capable of providing quick and easy VPN access to your network on the cheap.  By default the software is configured to allow open access to your network.  But what if you want to restrict users to on…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question