I am testing a CSS 11501 which I have added to my network behind a pix 515 firewall. Using static commands, the pix sends www traffic to one
server and ftp to another. Now that I have introduced the CSS, the pix sends the packets to VIP addresses on the CSS, which in turn sends them
to the intended server, or a sorry server in the evnt of a failure.
The www side is working very well, but I am having trouble with ftp. I am able to connect to the ftp server, but when I try to transfer files from a web application, the pix is dropping the packets and throws error # 406002 (FTP port command different address on interface inside). Here is a snip from the pix log:
305011: Built static TCP translation from inside:192.168.3.4/21 to outside:18.104.22.168/21
302013: Built inbound TCP connection 74 for outside:22.214.171.124/1561 (126.96.36.199/1561) to inside:192.168.3.4/21 (188.8.131.52/21)
406002: FTP port command different address: 192.168.3.4(192.168.1.22) to 184.108.40.206 on interface inside
302014: Teardown TCP connection 74 for outside:220.127.116.11/1561 to inside:192.168.3.4/21 duration 0:00:01 bytes 269 Deny
106015: Deny TCP (no connection) from 18.104.22.168/1561 to 22.214.171.124/21 flags PSH ACK on interface outside
126.96.36.199 = Client initiating FTP conn. and transfer
192.168.3.4 = VIP of ftp service on CSS
188.8.131.52 = FTP server
I am pertty new to all of this stuff, but if I read this correctly, the pix does not like the fact that the packets from the FTP server appear
to be coming from another address, which is in this case the VIP address of the ftp service on the CSS. I honestly don'y know if I need to
change the config on the pix or the css...or both for that matter.
This can happen if the NAT engine that the client is going thru is not NATing the ip add in the data payload as it should and therefore when the client pushes the PORT command, the ip address in data payload does not match what PIX has stored for this Fixup FTP connection and then denies the data connection from this FTP client.
Topology & Design:
Two ACI fabrics
Stretching VLANs using OTV
Both fabrics are advertising BD subnets into same routing domain
Some BDs(or say VLANs) are stretched, but some are not.
Endpoints can move betwee...
VMware Trunk Port Group is supported from ACI version 2.1
VMM integration must be configured properly
ASA device package must be uploaded to APIC
ASAv version must be compatible with ACI and device package version
Topology &Design:Traffic flow within same fabric:Endpoint moves to Fabric-2Bounce Entry Times OutTraffic Black-holedSummarySolutionAppendix:
In the Previous articles of ACI Automation, we are using Postman/Newman a...