Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2981
Views
0
Helpful
3
Replies

FTP problems over site-to-site VPN

jswift17
Level 1
Level 1

‎03-29-2007 01:41 PM - edited ‎02-21-2020 02:57 PM

I have a Cisco ASA 5510 that I have setup to provide site-to-site vpn access between our local network and a PIX 515 on a remote network (a SAP that needs access to upload files to our FTP server). This unit is not doing any firewalling at this time, only VPN connections. The server is not using NAT and the SAP will connect over an IPSEC connection.

The tunnel is created successfully and the user was able to ping the server but not connect (I say WAS because now the user cannot ping the server either). I have allowed all traffic to our internal FTP server through the checkpoint and connections from the local network work with no problem. I can even connect using the Cisco VPN client and make a connection to the FTP server. This connection problem only happens when using the site-to-site VPN.

Here is an overview to help sort things out (IP?s changed for security) and parts of the config:

Remote network (public IP): 172.16.1.8

Internal Host on the remote network making the connection: 192.168.1.8

Internal FTP Server: 10.54.1.133

asdm image disk0:/asdm521.bin

asdm history enable

: Saved

:

ASA Version 7.2(2)

!

hostname ciscoasa

domain-name domain.com

enable password

names

!

interface Ethernet0/0

nameif Outside

security-level 0

ip address 1.2.3.4 255.255.255.128

!

interface Ethernet0/1

nameif Inside

security-level 100

ip address 10.54.1.200 255.255.252.0

!

interface Ethernet0/2

nameif DMZ

security-level 50

ip address 192.168.199.1 255.255.255.0

!

interface Ethernet0/3

shutdown

nameif Not_Used

security-level 0

ip address 192.168.9.1 255.255.255.0

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

**************************

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list Inside_nat0_outbound extended permit ip 10.54.1.0 255.255.252.0 192.168.1.0 255.255.255.0

access-list Outside_20_cryptomap extended permit ip 10.54.1.0 255.255.252.0 192.168.1.0 255.255.255.0

***************************

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map Outside_map 20 match address Outside_20_cryptomap

crypto map Outside_map 20 set peer 172.16.1.8

crypto map Outside_map 20 set transform-set ESP-3DES-SHA

crypto map Outside_map interface Outside

crypto isakmp enable Outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

tunnel-group 172.16.1.8 type ipsec-l2l

tunnel-group 172.16.1.8 ipsec-attributes

pre-shared-key *

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

Labels:
0 Helpful
3 Replies 3

acomiskey
Level 10
Level 10

‎03-29-2007 02:20 PM

515 config would help also if possible.

I don't see a

nat (inside) 0 access-list Inside_nat0_outbound

but you probably have that in there as your remote access vpn works right?

0 Helpful

jswift17
Level 1
Level 1
In response to acomiskey

‎03-29-2007 07:05 PM

Unfortunately, I don't have access to the 515 config (can't get SAP to provide it to me).

nat (inside) 0 access-list inside_nat0_outbound

is there (just didn't include it).

Yes, remote access vpn works great. Only problem is ftp through site-to-site vpn.

0 Helpful

mfreijser
Level 1
Level 1
In response to jswift17

‎03-30-2007 07:37 AM

I notice that the "Inspect FTP" command is configured on the global policy. You can get problems with Passive FTP when this is enabled.

You can test this by starting a FTP session to the FTP-server with a DOS-prompt (Active FTP) and starting a FTP session with third-party software which uses Passive FTP.

"Inspect FTP" is the problem if the Active FTP works and the Passive not.

0 Helpful
Customers Also Viewed These Support Documents