Eleander

No problem. I will be in and out today but i'll keep checking whenever i can.

Jon

Jon,

I've changed the config accordingly.

Also changed the existings ACL's for the "Statoil" network so the object group is being used.

This shortened my config significantly and easier to troubleshoot.

I though keep getting out of SYN errors.

Config in attachement.

Kind regards,

Eleander

Eleander

Yes, looks a lot clearer now. One final change if you want but it's not critical - you have these 2 access-lists

inside_nat0_outbound

inside_nat0_outbound_1

only inside_nat0_outbound_1 is being used as far as i can see so you could remove the other one ie.

no access-list inside_nat0_outbound

Okay couple of things to check

1) The ftp server 10.0.74.5 - is this used by the other working site or not ?

If it isn't can you try ftping to that server from another address internally just to check that it is all working okay

2) If it is working okay, does this FTP server have it's default-gateway set to the ASA inside interface ?. If not what is it set to.

Jon

Jon,

Removed the entries.

1) Ftp can be reached from other working site.

H:\>ftp 10.0.74.5 (from my pc)

Connected to 10.0.74.5.

220-QTCP at custserver.cust.local.

220 Connection will close if idle more than 5 minutes.

User (10.0.74.5:(none)): "admin"

331 Enter password.

Password:

230 "admin"logged on.

ftp> quit

221 QUIT subcommand received.

2) server has by default at this moment an ISDN router and these are the routes active:

dftroute: 10.0.74.253

On this router following routes are active:

ip route 0.0.0.0 0.0.0.0 10.0.74.252 (ASA)

ip route 10.32.141.0 255.255.255.0 Dialer1 (remote station)

ip route 10.32.143.0 255.255.255.0 Dialer1 (remote station)

ip route 10.10.0.0 255.255.0.0 10.0.74.252 (ip range Statoil)

ip route 194.78.124.0 255.255.255.0 (our site) 10.0.74.252

-> yeah I know its's a public and I'm dying to get it out but supporting over 60 site-to-site takes a while to plan and implement working NAT! :d :)

Hope this get's you any further.

Kind regards,

Eleander

Eleander

Can you confirm

1) Which Statoil IP address ie. 10.10.?.? the connection to your FTP server is being made from.

2) Can you post output of a "sh running-config xlate"

3) Can you post log from ASA of latest attempt to connect

4) The FTP server does not have any access restrictions itself does it in terms of which remote IP addresses can connect ?

We may have to do a packet capture next :-)

Jon

Jon,

1) 10.10.10.87 (others can be done to if this server isn't active

2) asacust# sh xlate

10 in use, 142 most used

Global 192.168.222.1 Local 10.0.74.5

PAT Global 81.81.81.81(25) Local 10.0.74.1(25)

PAT Global 81.81.81.81(110) Local 10.0.74.1(110)

PAT Global 81.81.81.81(1723) Local 10.0.74.1(1723)

PAT Global 81.81.81.81(47) Local 10.0.74.1(47)

PAT Global 81.81.81.81(3206) Local 10.0.74.15(3548)

PAT Global 81.81.81.81(3205) Local 10.0.74.15(3547)

PAT Global 81.81.81.81(1084) Local 10.0.74.16(4352)

PAT Global 81.81.81.81(3155) Local 10.0.74.6(3671)

PAT Global 81.81.81.81(3152) Local 10.0.74.6(3668)

Note that I entered a random external IP! :)

3)

2008-11-21 13:09:46 Local4.Info 10.0.74.252 Nov 21 2008 13:09:25: %ASA-6-302014: Teardown TCP connection 1037 for outside:10.10.10.87/9408 to inside:10.0.74.5/21 duration 0:00:30 bytes 0 SYN Timeout

4) no restrictions are being made from the FTP server itself. It's an AS/400 which has full network access through default routing!

Awaiting further logs for test!

Kind regards,

Eleander

Eleander

Sincere apologies. I have been so wrapped up in tidying up the config i overlooked a very basic setting.

When you ftp from your site you ftp to 10.0.74.5.

When you ftp from Statoil you want them to ftp to 192.168.222.1.

But you can't do this unless of course the ftp service is on different ports for each remote client.

So either

1) You will need to ftp from your site and Statoil to 192.168.222.1

Or

2) the NAT could be done at the Statoil site before it gets to your firewall and before it goes into the VPN tunnel.

The only other option i can think of is that some servers such as apache allow multiple IP addresses to be associated with the same server and users can connect on different IP's to get an http service.

I don't know what the capabilities of the ftp server you are using but if you had a spare 10.0.74.x address from the range and it could support additional IP's this would be another way to do it.

Once again sincere apologies, i should have spotted this from the start. Sometimes you can't see the wood for the trees !

Jon

Jon,

When ftp is initiated it will be done from teh Statoil site using the 192.168.222.1 address. Of that I'm sure.

When I try to do this from our site I need to reconfigure router so I need to add the 192.168.222.1 address within my router and ASA.

2) incomming NAT from their site won't be done so that's not an option! (they are quit strict about ther policy which is understandable!)

I do have free IP's and I can even hang my server in other ranges without problems. (it's an AS/400 -> the green mean machine ! :d))

No problem Jon, but i've had the same thing you have seen what you've done to my config so help was needed, a big oak tree stood in the way! :)

Eleander

Thanks for that. I'm usually a bit better than this i promise :-)

Okay if Statoil won't NAT then either you will have to connect to that FTP server as 192.168.222.1 from your site and your config would need a bit of updating

OR

You could try and use a different IP address that is not in use and configure another NIC or use a secondary address on AS400 NIC and then run ftp service on this.

One very last thing -

access-list outside_access_in extended deny ip object-group Statoil_server any

access-list outside_access_in extended permit icmp any any

access-list outside_access_in extended permit ip any 10.0.74.0 255.255.255.0

You need to modify the top line from

access-list outside_access_in extended deny ip object-group Statoil_server any

to

access-list outside_access_in extended deny ip 10.10.0.0 255.255.0.0 any

because if you just include the object-group then because of the following 2 lines in that acl any clients not in the object-group would be given access to your 10.0.74.0 network.

Jon

From all the answers you gave me and seeing your rating I'm sure you will Jon. :)

I can add a second IP address on the ftp server. But doens't my NAT problem persist when I'm still using a 10.0.74.x IP?

Eleander

Eleander

I don't think it will but only if this address is never accessed from your site ie. 194.78.124.0/24.

Remember your nat exemption line is

access-list inside_nat0_outbound_1 extended permit ip 10.0.74.0 255.255.255.0 194.78.124.0 255.255.255.0

nat exemption lines with access-lists take precedence over all other forms of NAT including statics. However if your site never accesses this address via the VPN tunnel then it will never get matched against your "inside_nat0_outbound_1" access-list so it can then get matched by the static translation.

If you wanted to be ultra safe you could exclude the unused IP from the inside_nat0_outbound_1 access-list although obviously that would mean more entries for this access-list.

Alternatively depending on your internal topology you could use an altogther different subnet address and have a secondary IP address on the ISDN router. Think this is a bit more complicated than it needs to be.

Jon

Jon,

As I've learned more from you helping me out in this topic I'm going for the first solution.

As long as my internal users don't know the IP they won't access it.

Best is also we deny access from it.

In this way the easiest solution can be implemented and a great plus is that I can use this to clean up some other things to in other networks. So it will be an allroudn solution. :d

Eleander

Eleander

Good luck and let me know how it goes.

Jon

Jon,

Now I've this in my xlate:

asacust# sh xlate

12 in use, 170 most used

PAT Global 81.81.81.81(25) Local 10.0.74.1(25)

PAT Global 81.81.81.81(110) Local 10.0.74.1(110)

PAT Global 81.81.81.81(1723) Local 10.0.74.1(1723)

PAT Global 81.81.81.81(47) Local 10.0.74.1(47)

Global 192.168.222.1 Local 10.0.74.4

PAT Global 81.81.81.81(3891) Local 10.0.74.15(3984)

PAT Global 81.81.81.81(3890) Local 10.0.74.15(3983)

PAT Global 81.81.81.81(3889) Local 10.0.74.15(3978)

PAT Global 81.81.81.81(3892) Local 10.0.74.16(1183)

PAT Global 81.81.81.81(1) Local 10.0.74.5 ICMP id 3411

PAT Global 81.81.81.81(1667) Local 10.0.74.1(39002)

PAT Global 81.81.81.81(1666) Local 10.0.74.6(1057)

So the NAT statement will be ok.

Hope they can test soon!