Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1329
Views
0
Helpful
2
Replies

Problems with passive FTP over lan to lan VPN

Eric Hansen
Level 1
Level 1

‎07-22-2008 11:22 AM - edited ‎02-21-2020 03:50 PM

Hello, I am having a problem with a LAN to LAN VPN tunnel and a FTP client that is trying to go to passive mode communication while on the VPN. I'm stumped.

The setup

On our side we have a Cisco Concentrator 3060 and a FTP server running on a Unix server. The Unix server is NAT'd to a public IP on the 3060. We have no port filtering in place.

On the foreign network, not controlled by us, we have a Cisco PIX 535 and a XP machine that has a static IP. The XP machine has a NAT on the PIX to a public IP. I am told there is no port filtering of any kind for this tunnel. I am able to RDP to the XP machine over the LAN to LAN tunnel. The PIX 535 is running FTP fixup protocol.

The problem:

The XP uses a FTP client (indyFTP) to connect to the Unix server over the VPN, and connects fine in active FTP mode. 3 way hand shake happens fine, FTP client logs in and passes auth fine.

Then the FTP client on XP machine sends a PASSV command to the Unix server to indicate that it is entering passive mode. The Unix server responds with the PASSV ok response, the ip of the Unix server, and the ephemeral port number (~53,000ish). Normally I would expect to see a 3 way handshake next on the new port but I see nothing. Eventually the Unix server repeats its PASSV OK packet as a retransmission. It does this twice and after not hearing from the XP machine again it sends a goodbye. Then that goodbye also retransmits a few times.

This whole setup works from when the VPN is removed and the XP and Unix servers are on the same subnet.

Any help is GREATLY appreciated.

Eric

Labels:
0 Helpful
2 Replies 2

michael.leblanc
Level 4
Level 4

‎07-22-2008 03:41 PM

You haven't specified any layer 4 criteria (i.e.: ports) in your crypto ACL have you?

Have you placed a sniffer on the WAN side to see if either half of the data channel is un-encapsulated?

0 Helpful

Eric Hansen
Level 1
Level 1
In response to michael.leblanc

‎07-25-2008 01:28 PM

Sorry i meant to reply sooner, bad me, this actually turned out to be a problem on the FTP server. The server was sending back a PASV OK message with the IP of the FTP in the data field. The IP was the internal IP and not the NAT'd ip.

0 Helpful
Customers Also Viewed These Support Documents