03-29-2007 01:41 PM - edited 02-21-2020 02:57 PM
I have a Cisco ASA 5510 that I have setup to provide site-to-site vpn access between our local network and a PIX 515 on a remote network (a SAP that needs access to upload files to our FTP server). This unit is not doing any firewalling at this time, only VPN connections. The server is not using NAT and the SAP will connect over an IPSEC connection.
The tunnel is created successfully and the user was able to ping the server but not connect (I say WAS because now the user cannot ping the server either). I have allowed all traffic to our internal FTP server through the checkpoint and connections from the local network work with no problem. I can even connect using the Cisco VPN client and make a connection to the FTP server. This connection problem only happens when using the site-to-site VPN.
Here is an overview to help sort things out (IP?s changed for security) and parts of the config:
Remote network (public IP): 172.16.1.8
Internal Host on the remote network making the connection: 192.168.1.8
Internal FTP Server: 10.54.1.133
asdm image disk0:/asdm521.bin
asdm history enable
: Saved
:
ASA Version 7.2(2)
!
hostname ciscoasa
domain-name domain.com
enable password
names
!
interface Ethernet0/0
nameif Outside
security-level 0
ip address 1.2.3.4 255.255.255.128
!
interface Ethernet0/1
nameif Inside
security-level 100
ip address 10.54.1.200 255.255.252.0
!
interface Ethernet0/2
nameif DMZ
security-level 50
ip address 192.168.199.1 255.255.255.0
!
interface Ethernet0/3
shutdown
nameif Not_Used
security-level 0
ip address 192.168.9.1 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
**************************
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list Inside_nat0_outbound extended permit ip 10.54.1.0 255.255.252.0 192.168.1.0 255.255.255.0
access-list Outside_20_cryptomap extended permit ip 10.54.1.0 255.255.252.0 192.168.1.0 255.255.255.0
***************************
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map Outside_map 20 match address Outside_20_cryptomap
crypto map Outside_map 20 set peer 172.16.1.8
crypto map Outside_map 20 set transform-set ESP-3DES-SHA
crypto map Outside_map interface Outside
crypto isakmp enable Outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group 172.16.1.8 type ipsec-l2l
tunnel-group 172.16.1.8 ipsec-attributes
pre-shared-key *
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
03-29-2007 02:20 PM
515 config would help also if possible.
I don't see a
nat (inside) 0 access-list Inside_nat0_outbound
but you probably have that in there as your remote access vpn works right?
03-29-2007 07:05 PM
Unfortunately, I don't have access to the 515 config (can't get SAP to provide it to me).
nat (inside) 0 access-list inside_nat0_outbound
is there (just didn't include it).
Yes, remote access vpn works great. Only problem is ftp through site-to-site vpn.
03-30-2007 07:37 AM
I notice that the "Inspect FTP" command is configured on the global policy. You can get problems with Passive FTP when this is enabled.
You can test this by starting a FTP session to the FTP-server with a DOS-prompt (Active FTP) and starting a FTP session with third-party software which uses Passive FTP.
"Inspect FTP" is the problem if the Active FTP works and the Passive not.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide