Hello, I am having a problem with a LAN to LAN VPN tunnel and a FTP client that is trying to go to passive mode communication while on the VPN. I'm stumped.
On our side we have a Cisco Concentrator 3060 and a FTP server running on a Unix server. The Unix server is NAT'd to a public IP on the 3060. We have no port filtering in place.
On the foreign network, not controlled by us, we have a Cisco PIX 535 and a XP machine that has a static IP. The XP machine has a NAT on the PIX to a public IP. I am told there is no port filtering of any kind for this tunnel. I am able to RDP to the XP machine over the LAN to LAN tunnel. The PIX 535 is running FTP fixup protocol.
The XP uses a FTP client (indyFTP) to connect to the Unix server over the VPN, and connects fine in active FTP mode. 3 way hand shake happens fine, FTP client logs in and passes auth fine.
Then the FTP client on XP machine sends a PASSV command to the Unix server to indicate that it is entering passive mode. The Unix server responds with the PASSV ok response, the ip of the Unix server, and the ephemeral port number (~53,000ish). Normally I would expect to see a 3 way handshake next on the new port but I see nothing. Eventually the Unix server repeats its PASSV OK packet as a retransmission. It does this twice and after not hearing from the XP machine again it sends a goodbye. Then that goodbye also retransmits a few times.
This whole setup works from when the VPN is removed and the XP and Unix servers are on the same subnet.
Sorry i meant to reply sooner, bad me, this actually turned out to be a problem on the FTP server. The server was sending back a PASV OK message with the IP of the FTP in the data field. The IP was the internal IP and not the NAT'd ip.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...