cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

350
Views
0
Helpful
5
Replies
Highlighted
Beginner

FTP from Firewall to device in encryption domain

Hi

 

I have a site to site VPN from Site A to Site B. 

 

Site A : 10.110.11.0/24

Site B : 10.0.0.0/8 Network

 

Behind Site B's firewall, we have an FTP server (10.x.x.x)

 

There is a default route on Site A that points to Gateway (ISP's IP address).

 

I am trying to take backup of the firewall using the following command

 

backup /noconfirm location ftp://username:password@10.x.x.x/backups/"

 

On the monitoring, I get the following logs

 

6Apr 23 202006:14:50302013x.x.x.x (gateway IP)2263210.x.x.x21Built outbound TCP connection 5098542 for outside:10.x.x.x/21 (10.x.x.x/21) to identity:x.x.x.x/22632 (x.x.x.x/22632)

 

6Apr 23 202006:15:0030201410.x.x.x21x.x.x.x22632Teardown TCP connection 5098542 for outside:10.x.x.x/21 to identity:x.x.x.x/22632 duration 0:00:10 bytes 0 SYN Timeout

 

x.x.x.x = Gateway IP Site A's firewall.

 

I believe traffic can't be initiated from the Firewall to encryption domain, is there a way to take backup here?

5 REPLIES 5
Highlighted
VIP Advisor

Re: FTP from Firewall to device in encryption domain

Hi,
Include the outside IP address of Site A firewall in the ACL defining the interesting traffic (encryption domain). Obviously mirror this on Site B firewall aswell.

HTH
Highlighted
Beginner

Re: FTP from Firewall to device in encryption domain

Thank you.


That did not help.

 

The connection from Firewall to FTP server goes fine, then next log entry is syn timeout.

 

6Apr 23 202019:27:2230201410.x.x.x21x.x.x.x3195Teardown TCP connection 5124890 for outside:10.x.x.x/21 to identity:x.x.x.x/3195 duration 0:00:10 bytes 0 SYN Timeout
Highlighted
VIP Advisor

Re: FTP from Firewall to device in encryption domain

Does it establish an IPSec SA for that communication?
Have you defined a rule in the ACL permitting this communication?

Your return traffic from the FTP server 10.x.x.x could be unintentially natted, ensure you have a NAT exemption rule in place.

Run packet-tracer to test the communication and provide the output
Run a packet capture on the firewall and provide the output.
Highlighted
Beginner

Re: FTP from Firewall to device in encryption domain

Does it establish an IPSec SA for that communication? : Yes

Have you defined a rule in the ACL permitting this communication? : Yes

 

Your return traffic from the FTP server 10.x.x.x could be unintentially natted, ensure you have a NAT exemption rule in place.

 

I added the public IP to NAT exemption.

 

Packet tracker : Please let me know the parameters for packet tracer.

 

Run a packet capture on the firewall and provide the output : What parameters please? 
Highlighted
Beginner

Re: FTP from Firewall to device in encryption domain

Bump!

 

Any hint please?