Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Problems with passive FTP over lan to lan VPN

Hello, I am having a problem with a LAN to LAN VPN tunnel and a FTP client that is trying to go to passive mode communication while on the VPN. I'm stumped.

The setup

On our side we have a Cisco Concentrator 3060 and a FTP server running on a Unix server. The Unix server is NAT'd to a public IP on the 3060. We have no port filtering in place.

On the foreign network, not controlled by us, we have a Cisco PIX 535 and a XP machine that has a static IP. The XP machine has a NAT on the PIX to a public IP. I am told there is no port filtering of any kind for this tunnel. I am able to RDP to the XP machine over the LAN to LAN tunnel. The PIX 535 is running FTP fixup protocol.

The problem:

The XP uses a FTP client (indyFTP) to connect to the Unix server over the VPN, and connects fine in active FTP mode. 3 way hand shake happens fine, FTP client logs in and passes auth fine.

Then the FTP client on XP machine sends a PASSV command to the Unix server to indicate that it is entering passive mode. The Unix server responds with the PASSV ok response, the ip of the Unix server, and the ephemeral port number (~53,000ish). Normally I would expect to see a 3 way handshake next on the new port but I see nothing. Eventually the Unix server repeats its PASSV OK packet as a retransmission. It does this twice and after not hearing from the XP machine again it sends a goodbye. Then that goodbye also retransmits a few times.

This whole setup works from when the VPN is removed and the XP and Unix servers are on the same subnet.

Any help is GREATLY appreciated.



Re: Problems with passive FTP over lan to lan VPN

You haven't specified any layer 4 criteria (i.e.: ports) in your crypto ACL have you?

Have you placed a sniffer on the WAN side to see if either half of the data channel is un-encapsulated?

New Member

Re: Problems with passive FTP over lan to lan VPN

Sorry i meant to reply sooner, bad me, this actually turned out to be a problem on the FTP server. The server was sending back a PASV OK message with the IP of the FTP in the data field. The IP was the internal IP and not the NAT'd ip.