Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
532
Views
4
Helpful
4
Replies

Xlate and server communication

suthomas1
Level 6
Level 6

‎03-04-2013 07:16 AM - edited ‎03-11-2019 06:09 PM

Hi,

We have a server in our LAN. It connects to a Juniper firewall , this inturn connects to an ASA which acts as the

internet firewall.

LAN Server 10.96.1.90 needs to connect to an external destination 81.20.97.19 for ftp service as also the external

destination should be able to connect back to 10.96.1.90 for ftp service

However,the request from 10.96.1.90 is only recognised & allowed on the destination when it comes from

public IP 203.121.17.140 and similarly, request from 81.20.97.19 to 10.96.1.90 is done using public IP 203.121.17.140.

Server 10.96.1.90 -> Juniper Firewall  -> ASA Firewall -> Destination 81.20.97.19 (FTP)

Destination 81.20.97.19 (FTP) -> ASA Firewall -> Juniper Firewall  -> Server 10.96.1.90 (FTP)

LAN Server IP: 10.96.1.90

Juniper Firewall LAN interface IP: 10.96.1.68

Juniper Firewall WAN interface IP: 172.16.1.68

ASA Firewall LAN interface IP: 172.16.1.98 ( Transit Interface(eth0/2) is the name given to the interface which connects Juniper's WAN to ASA's LAN)

ASA Firewall WAN interface IP: 203.121.17.144

The rules are in place on both Juniper and ASA firewall for the above bidirectional communication.I can see the packets passing on through the juniper firewall on its way to ASA.

Now, the problem;

The communication when initiated from 10.96.1.90 towards 81.20.97.19  is not successful.

When i run capture on ASA, i can see the packets coming on to ASA via Juniper firewall, but i can only see sync packets.

Moreover, i cannot see the xlate for these packets.

The current configuration on the ASA firewall is :-

interface Ethernet0/0

nameif outside

security-level 1

ip address 203.121.17.144 255.255.255.224 

!

interface Ethernet0/1

description To Server

speed 100

duplex full

nameif inside

security-level 100

ip address 172.16.0.98 255.255.255.0   

!

interface Ethernet0/2

description To Juniper Firewall

speed 100

duplex full

nameif transit

security-level 90

ip address 172.16.1.98 255.255.255.0

!

boot system disk0:/asa822-k8.bin

ftp mode passive

dns server-group DefaultDNS

domain-name bsh-sg.com

object-group service Apps tcp

description FTP and HTTP access

port-object eq ftp-data

port-object eq ftp

port-object eq echo

port-object eq www

object-group service FTP tcp

port-object eq ftp

port-object eq ftp-data

access-list acl_out extended permit tcp any host 203.121.17.142 object-group Apps

access-list acl_out extended permit tcp host 81.20.97.19 host 203.121.17.140 object-group FTP

pager lines 24

logging console informational

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu management 1500

mtu transit 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-645.bin

no asdm history enable

arp timeout 14400

global (outside) 2 interface

nat (inside) 1 0.0.0.0 0.0.0.0

nat (transit) 2 10.96.1.0 255.255.255.0

static (inside,outside) 203.121.17.142 172.16.0.97 netmask 255.255.255.255

static (transit,outside) 203.121.17.140 10.96.1.90 netmask 255.255.255.255

access-group acl_out in interface outside

route outside 0.0.0.0 0.0.0.0 203.121.17.129 1

route transit 10.96.1.0 255.255.255.0 172.16.1.68 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

  inspect ftp

!

service-policy global_policy global

Now, the problem;

The communication when initiated from 10.96.1.90 towards 81.20.97.19 is initiated , it is not successful.

When i run capture on ASA, i can see the packets coming in to ASA via Juniper firewall, but i can only see sync packets.

Moreover, i cannot see the xlate for this packets.

Please help me in this problem, if there is any thing wrong on the ASA regarding this requirement of traffic.

Appreciate all inputs!

Labels:
0 Helpful
4 Replies 4

jocamare
Level 4
Level 4

‎03-04-2013 10:56 AM

Do you the same SYN packets leaving the outside interface?

suthomas1
Level 6
Level 6
In response to jocamare

‎03-05-2013 12:19 AM

No, i do not see the SYN packets leaving outside interface.

Is the static nat configuration for these ip's correct ? How should i proceed?

Appreciate all help!

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to suthomas1

‎03-05-2013 12:37 AM

Hi,

In your above configuration I cant at the moment see anything that would prevent the connection being initiated through it.

  • Static NAT is configure correctly
  • There is a default route for outbound connections
  • The security-level between "transit" and "outside" should allow for the traffic to pass the firewall
  • You have FTP inspection configured which will automatically allow the Data connection after Control connection has been formed.

You could confirm the firewalls operation by using the "packet-tracer" command

packet-tracer input transit tcp 10.96.1.90 1234 81.20.97.19 21

This will simulate the FTP connection attempt from the host behind "transit" interface to the specified destination IP address on the Internet.

Can you share the output of that command here?

- Jouni

0 Helpful

jocamare
Level 4
Level 4
In response to suthomas1

‎03-05-2013 11:19 AM

Do you see any particular logs refering to these particular public IP when testing?

Try to gest an ASP capture, this is the command for it: capture drop type asp-drop all

Test and check the capture : show capture drop | i 81.20.97.19

Are you having problems only when going to 81.20.97.19?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card