I have a site to site VPN from Site A to Site B.
Site A : 10.110.11.0/24
Site B : 10.0.0.0/8 Network
Behind Site B's firewall, we have an FTP server (10.x.x.x)
There is a default route on Site A that points to Gateway (ISP's IP address).
I am trying to take backup of the firewall using the following command
backup /noconfirm location ftp://username:email@example.com/backups/"
On the monitoring, I get the following logs
|6||Apr 23 2020||06:14:50||302013||x.x.x.x (gateway IP)||22632||10.x.x.x||21||Built outbound TCP connection 5098542 for outside:10.x.x.x/21 (10.x.x.x/21) to identity:x.x.x.x/22632 (x.x.x.x/22632)|
|6||Apr 23 2020||06:15:00||302014||10.x.x.x||21||x.x.x.x||22632||Teardown TCP connection 5098542 for outside:10.x.x.x/21 to identity:x.x.x.x/22632 duration 0:00:10 bytes 0 SYN Timeout|
x.x.x.x = Gateway IP Site A's firewall.
I believe traffic can't be initiated from the Firewall to encryption domain, is there a way to take backup here?
That did not help.
The connection from Firewall to FTP server goes fine, then next log entry is syn timeout.
|6||Apr 23 2020||19:27:22||302014||10.x.x.x||21||x.x.x.x||3195||Teardown TCP connection 5124890 for outside:10.x.x.x/21 to identity:x.x.x.x/3195 duration 0:00:10 bytes 0 SYN Timeout|
Does it establish an IPSec SA for that communication? : Yes
Have you defined a rule in the ACL permitting this communication? : Yes
Your return traffic from the FTP server 10.x.x.x could be unintentially natted, ensure you have a NAT exemption rule in place.
I added the public IP to NAT exemption.
Packet tracker : Please let me know the parameters for packet tracer.