Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1315
Views
0
Helpful
5
Replies

FTP from Firewall to device in encryption domain

Brad_Shawh
Level 1
Level 1

‎04-22-2020 11:31 PM

Hi

 

I have a site to site VPN from Site A to Site B. 

 

Site A : 10.110.11.0/24

Site B : 10.0.0.0/8 Network

 

Behind Site B's firewall, we have an FTP server (10.x.x.x)

 

There is a default route on Site A that points to Gateway (ISP's IP address).

 

I am trying to take backup of the firewall using the following command

 

backup /noconfirm location ftp://username:password@10.x.x.x/backups/"

 

On the monitoring, I get the following logs

 

6Apr 23 202006:14:50302013x.x.x.x (gateway IP)2263210.x.x.x21Built outbound TCP connection 5098542 for outside:10.x.x.x/21 (10.x.x.x/21) to identity:x.x.x.x/22632 (x.x.x.x/22632)

 

6Apr 23 202006:15:0030201410.x.x.x21x.x.x.x22632Teardown TCP connection 5098542 for outside:10.x.x.x/21 to identity:x.x.x.x/22632 duration 0:00:10 bytes 0 SYN Timeout

 

x.x.x.x = Gateway IP Site A's firewall.

 

I believe traffic can't be initiated from the Firewall to encryption domain, is there a way to take backup here?

0 Helpful
5 Replies 5

Rob Ingram
VIP
VIP

‎04-23-2020 01:59 AM

Hi,
Include the outside IP address of Site A firewall in the ACL defining the interesting traffic (encryption domain). Obviously mirror this on Site B firewall aswell.

HTH
0 Helpful

Brad_Shawh
Level 1
Level 1
In response to Rob Ingram

‎04-23-2020 12:30 PM

Thank you.


That did not help.

 

The connection from Firewall to FTP server goes fine, then next log entry is syn timeout.

 

6Apr 23 202019:27:2230201410.x.x.x21x.x.x.x3195Teardown TCP connection 5124890 for outside:10.x.x.x/21 to identity:x.x.x.x/3195 duration 0:00:10 bytes 0 SYN Timeout
0 Helpful

Rob Ingram
VIP
VIP
In response to Brad_Shawh

‎04-23-2020 12:39 PM

Does it establish an IPSec SA for that communication?
Have you defined a rule in the ACL permitting this communication?

Your return traffic from the FTP server 10.x.x.x could be unintentially natted, ensure you have a NAT exemption rule in place.

Run packet-tracer to test the communication and provide the output
Run a packet capture on the firewall and provide the output.
0 Helpful

Brad_Shawh
Level 1
Level 1
In response to Rob Ingram

‎04-23-2020 01:06 PM - edited ‎04-23-2020 02:48 PM

Does it establish an IPSec SA for that communication? : Yes

Have you defined a rule in the ACL permitting this communication? : Yes

 

Your return traffic from the FTP server 10.x.x.x could be unintentially natted, ensure you have a NAT exemption rule in place.

 

I added the public IP to NAT exemption.

 

Packet tracker : Please let me know the parameters for packet tracer.

 

Run a packet capture on the firewall and provide the output : What parameters please? 
0 Helpful

Brad_Shawh
Level 1
Level 1
In response to Brad_Shawh

‎04-27-2020 05:04 AM

Bump!

 

Any hint please?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card