https://community.cisco.com/t5/network-security/ftp-from-firewall-to-device-in-encryption-domain/m-p/4074821#M1069539 <P class="lia-align-left">Bump!</P><P class="lia-align-left">&nbsp;</P><P class="lia-align-left">Any hint please?</P> Mon, 27 Apr 2020 12:04:04 GMT Brad_Shawh 2020-04-27T12:04:04Z https://community.cisco.com/t5/network-security/ftp-from-firewall-to-device-in-encryption-domain/m-p/4072089#M1069417 <P>Hi</P><P>&nbsp;</P><P>I have a site to site VPN from Site A to Site B.&nbsp;</P><P>&nbsp;</P><P>Site A : 10.110.11.0/24</P><P>Site B : 10.0.0.0/8 Network</P><P>&nbsp;</P><P>Behind Site B's firewall, we have an FTP server (10.x.x.x)</P><P>&nbsp;</P><P>There is a default route on Site A that points to Gateway (ISP's IP address).</P><P>&nbsp;</P><P>I am trying to take backup of the firewall using the following command</P><P>&nbsp;</P><P>backup /noconfirm location ftp://username:password@10.x.x.x/backups/"</P><P>&nbsp;</P><P>On the monitoring, I get the following logs</P><P>&nbsp;</P><TABLE><TBODY><TR><TD>6</TD><TD>Apr 23 2020</TD><TD>06:14:50</TD><TD>302013</TD><TD>x.x.x.x (gateway IP)</TD><TD>22632</TD><TD>10.x.x.x</TD><TD>21</TD><TD>Built outbound TCP connection 5098542 for outside:10.x.x.x/21 (10.x.x.x/21) to identity:x.x.x.x/22632 (x.x.x.x/22632)</TD></TR></TBODY></TABLE><P>&nbsp;</P><TABLE><TBODY><TR><TD>6</TD><TD>Apr 23 2020</TD><TD>06:15:00</TD><TD>302014</TD><TD>10.x.x.x</TD><TD>21</TD><TD>x.x.x.x</TD><TD>22632</TD><TD>Teardown TCP connection 5098542 for outside:10.x.x.x/21 to identity:x.x.x.x/22632 duration 0:00:10 bytes 0 SYN Timeout</TD></TR></TBODY></TABLE><P>&nbsp;</P><P>x.x.x.x = Gateway IP Site A's firewall.</P><P>&nbsp;</P><P>I believe traffic can't be initiated from the Firewall to encryption domain, is there a way to take backup here?</P> Thu, 23 Apr 2020 06:31:42 GMT https://community.cisco.com/t5/network-security/ftp-from-firewall-to-device-in-encryption-domain/m-p/4072089#M1069417 Brad_Shawh 2020-04-23T06:31:42Z https://community.cisco.com/t5/network-security/ftp-from-firewall-to-device-in-encryption-domain/m-p/4072208#M1069421 Hi,<BR />Include the outside IP address of Site A firewall in the ACL defining the interesting traffic (encryption domain). Obviously mirror this on Site B firewall aswell.<BR /><BR />HTH Thu, 23 Apr 2020 08:59:09 GMT https://community.cisco.com/t5/network-security/ftp-from-firewall-to-device-in-encryption-domain/m-p/4072208#M1069421 Rob Ingram 2020-04-23T08:59:09Z https://community.cisco.com/t5/network-security/ftp-from-firewall-to-device-in-encryption-domain/m-p/4072717#M1069447 <P>Thank you.</P><P><BR />That did not help.</P><P>&nbsp;</P><P>The connection from Firewall to FTP server goes fine, then next log entry is syn timeout.</P><P>&nbsp;</P><TABLE><TBODY><TR><TD>6</TD><TD>Apr 23 2020</TD><TD>19:27:22</TD><TD>302014</TD><TD>10.x.x.x</TD><TD>21</TD><TD>x.x.x.x</TD><TD>3195</TD><TD>Teardown TCP connection 5124890 for outside:10.x.x.x/21 to identity:x.x.x.x/3195 duration 0:00:10 bytes 0 SYN Timeout</TD></TR></TBODY></TABLE> Thu, 23 Apr 2020 19:30:40 GMT https://community.cisco.com/t5/network-security/ftp-from-firewall-to-device-in-encryption-domain/m-p/4072717#M1069447 Brad_Shawh 2020-04-23T19:30:40Z https://community.cisco.com/t5/network-security/ftp-from-firewall-to-device-in-encryption-domain/m-p/4072718#M1069448 Does it establish an IPSec SA for that communication?<BR />Have you defined a rule in the ACL permitting this communication?<BR /><BR />Your return traffic from the FTP server 10.x.x.x could be unintentially natted, ensure you have a NAT exemption rule in place.<BR /><BR />Run packet-tracer to test the communication and provide the output<BR />Run a packet capture on the firewall and provide the output. Thu, 23 Apr 2020 19:39:57 GMT https://community.cisco.com/t5/network-security/ftp-from-firewall-to-device-in-encryption-domain/m-p/4072718#M1069448 Rob Ingram 2020-04-23T19:39:57Z https://community.cisco.com/t5/network-security/ftp-from-firewall-to-device-in-encryption-domain/m-p/4072734#M1069451 <P><SPAN>Does it establish an IPSec SA for that communication? : Yes</SPAN></P><P><SPAN>Have you defined a rule in the ACL permitting this communication? : Yes<BR /></SPAN></P><P>&nbsp;</P><P><SPAN>Your return traffic from the FTP server 10.x.x.x could be unintentially natted, ensure you have a NAT exemption rule in place.<BR /></SPAN></P><P>&nbsp;</P><P><SPAN>I added the public IP to NAT exemption.</SPAN></P><P>&nbsp;</P><P><SPAN>Packet tracker : Please let me know the parameters for packet tracer.</SPAN></P><P>&nbsp;</P><DIV class="lia-message-body lia-component-message-view-widget-body lia-component-body-signature-highlight-escalation lia-component-message-view-widget-body-signature-highlight-escalation"><DIV class="lia-message-body-content">Run a packet capture on the firewall and provide the output : What parameters please?&nbsp;</DIV></DIV> Thu, 23 Apr 2020 21:48:00 GMT https://community.cisco.com/t5/network-security/ftp-from-firewall-to-device-in-encryption-domain/m-p/4072734#M1069451 Brad_Shawh 2020-04-23T21:48:00Z https://community.cisco.com/t5/network-security/ftp-from-firewall-to-device-in-encryption-domain/m-p/4074821#M1069539 <P class="lia-align-left">Bump!</P><P class="lia-align-left">&nbsp;</P><P class="lia-align-left">Any hint please?</P> Mon, 27 Apr 2020 12:04:04 GMT https://community.cisco.com/t5/network-security/ftp-from-firewall-to-device-in-encryption-domain/m-p/4074821#M1069539 Brad_Shawh 2020-04-27T12:04:04Z