FTP problems over site-to-site VPN

Unanswered Question
Mar 29th, 2007

I have a Cisco ASA 5510 that I have setup to provide site-to-site vpn access between our local network and a PIX 515 on a remote network (a SAP that needs access to upload files to our FTP server). This unit is not doing any firewalling at this time, only VPN connections. The server is not using NAT and the SAP will connect over an IPSEC connection.

The tunnel is created successfully and the user was able to ping the server but not connect (I say WAS because now the user cannot ping the server either). I have allowed all traffic to our internal FTP server through the checkpoint and connections from the local network work with no problem. I can even connect using the Cisco VPN client and make a connection to the FTP server. This connection problem only happens when using the site-to-site VPN.

Here is an overview to help sort things out (IP?s changed for security) and parts of the config:

Remote network (public IP):

Internal Host on the remote network making the connection:

Internal FTP Server:

asdm image disk0:/asdm521.bin

asdm history enable

: Saved


ASA Version 7.2(2)


hostname ciscoasa

domain-name domain.com

enable password



interface Ethernet0/0

nameif Outside

security-level 0

ip address


interface Ethernet0/1

nameif Inside

security-level 100

ip address


interface Ethernet0/2

nameif DMZ

security-level 50

ip address


interface Ethernet0/3


nameif Not_Used

security-level 0

ip address


interface Management0/0

nameif management

security-level 100

ip address



same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list Inside_nat0_outbound extended permit ip

access-list Outside_20_cryptomap extended permit ip


no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map Outside_map 20 match address Outside_20_cryptomap

crypto map Outside_map 20 set peer

crypto map Outside_map 20 set transform-set ESP-3DES-SHA

crypto map Outside_map interface Outside

crypto isakmp enable Outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

tunnel-group type ipsec-l2l

tunnel-group ipsec-attributes

pre-shared-key *

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address management

dhcpd enable management



class-map inspection_default

match default-inspection-traffic



policy-map type inspect dns preset_dns_map


message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
acomiskey Thu, 03/29/2007 - 14:20

515 config would help also if possible.

I don't see a

nat (inside) 0 access-list Inside_nat0_outbound

but you probably have that in there as your remote access vpn works right?

jswift17 Thu, 03/29/2007 - 19:05

Unfortunately, I don't have access to the 515 config (can't get SAP to provide it to me).

nat (inside) 0 access-list inside_nat0_outbound

is there (just didn't include it).

Yes, remote access vpn works great. Only problem is ftp through site-to-site vpn.

mfreijser Fri, 03/30/2007 - 07:37

I notice that the "Inspect FTP" command is configured on the global policy. You can get problems with Passive FTP when this is enabled.

You can test this by starting a FTP session to the FTP-server with a DOS-prompt (Active FTP) and starting a FTP session with third-party software which uses Passive FTP.

"Inspect FTP" is the problem if the Active FTP works and the Passive not.


This Discussion