Disclaimer: I'm not a network expert or Cisco certified...
I have a few remote locations that use a Cisco 5505 to connect to my server through a VPN Tunnel. When they establish a connection through the tunnel they use FTP with the PASV command and successfully send and receive data. No issues. The same remote locations will connect to external FTP sites without a VPN tunnel and attempt to use FTP with PASV and the connection fails after the PASV command is issued.
Also, when these sites connect to my FTP server all their internal addresses are configured with a Dynamic HIDE NAT. They don't use this NAT rule when they connect to other FTP sites. (I'm fairly certain about this last statement.)
The question is why would an FTP connection through a VPN Tunnel work with PASV, but on a non-tunneled connection the Cisco 5505 blocks the connection.
I would think that the connection should drop in both scenarios. What makes the VPN Tunnel connection special to prevent the connection drop?
(I just learned about the fixup protocol with the group policy change to resolve the problem. So I can resolve the issue. But I'm interested in knowing why there is a discrepancy.)
I did ask our network team and they thought it was somewhat strange too.They suspect the tunnel has something to do with it, but I'm looking for a solid answer. I also haven't found any prior discussions about this particular scenario.
As you might now the FTP protocol opens dynamicly additional ports to send the data, so the ASA if is not inspecting this protocol over to the application layer will drop the packet, because he will receive a packet from a non-existing connection from the lower security level (outside).
To solve this you just need to let the ASA know " Inspect the FTP traffic up to the application layer, also known as Deep Packet Inspection (DPI) so you can know the port the FTP server and the client will use to send the traffic", then the ASA will dinamicaly open that port and the connection will get stablished.
Do you see what I mean, let me know if its clear enough.
Julio Carvajal Senior Network Security and Core Specialist CCIE #42930, 2xCCNP, JNCIP-SEC
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :