Re: Cisco FPR1140 ikev2 site to site tunnel-FTP application dont work - Page 3

faruk.zaimovic · ‎04-02-2024

Hello,

I create Ikev2 site to site tunnel between two cisco FPR 1140. I have same subnet on both location and i used source and destionation NAT in one site. My user try access over web some aplication and it is work, but when other site try to access first side over FTP they can access(telnet on port 21) but application dont work(they can not list directory in FTP server for example), also they can ping that server because all ports are allowed in ACP.

FRP server work in passive mode.

Does anybody have same experience and would like to share?

Thank you very much.

tvotna · ‎05-04-2024

As I said, there is no such command. Passive ftp inspection is enabled by default.

faruk.zaimovic · ‎05-04-2024

Hello all,

Thank you very much for help.

i found in my cisco ASA device where it works without any problem command ftp mode passive and i add it through flex config.

@tvotna, you are right, ftp inspection is enabled by default, . @MHM Cisco World can you please share example of config. . @MHM Cisco World can you please put here link for picture where you took

policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect sip
inspect netbios
inspect tftp
inspect icmp
inspect icmp error

faruk.zaimovic · ‎05-05-2024

Hello,

I tried to add throught flex config, i deployment failed because incorrect config.

policy-map type inspect ftp ftp_inspect_map

parameters

match passive-only

MHM Cisco World · ‎05-06-2024

Sorry for late reply
I busy this weekend and tomorrow also but let summary with you some point
you mention there is S2S VPN and the traffic is NATing ? how is that ? the traffic inside VPN is not NAT unless you NAT some private IP

other point about the inspection are you check inspection in both FW ?

faruk.zaimovic · ‎05-06-2024

Hello,

@MHM Cisco World Thank you very much for help.

192.168.1.28(Local-LAN)--------FPR1----------------------FPR2-------192.168.1.2(Remote LAN)

I have to make NAT because i have same subnet at both side. I made Source and Destionation NAT in my side FPR1(is my side).

NAT configuratio is below.

nat (inside,outside) source static LFILKA-192.168.1.28 LFILKA-SEEN-FROM-FMF-10.5.6.28 destination static FMF-SERVER3-SEEN-FROM-FMF-10.200.200.3 FMF-SERVER-3-192.168.1.2
nat (inside,outside) source static SVI-MO-SUBNET-192.168.0.0_16 LOCAL_LAN_MO_SUBNET-10.5.6.0_24 destination static FMF-SERVER1-SEEN-FROM-FMF-10.200.200.1 FMF-SERVER-1-172.29.235.11
nat (inside,outside) source static SVI-MO-SUBNET-192.168.0.0_16 LOCAL_LAN_MO_SUBNET-10.5.6.0_24 destination static FMF-SERVER2-SEEN-FROM-FMF-10.200.200.2 FMF-SERVER-2-192.168.1.109
nat (inside,outside) source static SVI-MO-SUBNET-192.168.0.0_16 LOCAL_LAN_MO_SUBNET-10.5.6.0_24 destination static FMF-SERVER3-SEEN-FROM-FMF-10.200.200.3 FMF-SERVER-3-192.168.1.2
nat (inside,outside) source static SVI-MO-SUBNET-192.168.0.0_16 LOCAL_LAN_MO_SUBNET-10.5.6.0_24 destination static FMF-SERVER4-SEEN-FROM-FMF-10.200.200.4 FMF-SERVER-4-192.168.5.100
nat (inside,outside) source static SVI-MO-SUBNET-192.168.0.0_16 LOCAL_LAN_MO_SUBNET-10.5.6.0_24 destination static FMF-SERVER5-SEEN-FROM-FMF-10.200.200.5 FMF-SERVER-5-192.168.5.200

All my subnet 192.168.0.0/16 access to remote site and it si some web application and it works correctly.

FMF-SERVER-1-172.29.235.11
FMF-SERVER-2-192.168.1.109
FMF-SERVER-3-192.168.1.2
FMF-SERVER-4-192.168.5.100
FMF-SERVER-5-192.168.5.200

Only one remote server 192.168.1.2 need over FTP server put some file in host in Local-LAN (192.168.1.28) and it is reason why i made NAT below.

nat (inside,outside) source static LFILKA-192.168.1.28 LFILKA-SEEN-FROM-FMF-10.5.6.28 destination static FMF-SERVER3-SEEN-FROM-FMF-10.200.200.3 FMF-SERVER-3-192.168.1.2

Remote server 192.168.1.2 see my side as 10.5.6.28. Remote server 192.168.1.2 can telnet to port 21 and can login in FTP server but when tried to list file in FTP directory, we got messages that connection is refused.

NAT configuration I copied from cisco ASA devie where it is working without any problem .

In remote side we make predfiler policy where is everthing permited as in my side too. we capture traffice in inside interface in my side and remote side. i send you wireshark files from both side . i think that FPR1 is problem and i think that is problem with NAT too..

tvotna · ‎05-06-2024

How and where did you collect this capture? Did you collect it with a "capture" command or "capture-traffic" or what? If it was collected on FTD the destination MAC should have started with a Cisco prefix, but Wireshark shows it does not. The source MAC belongs to a Cisco switch, right?

faruk.zaimovic · ‎05-06-2024

PC----GW-CiscoSwitch-----Inside_FPR.

I collect it in cisco Inside Interface and GW is on cisco SW and then i have route to cisco FPR. it is reason why there is that MAC. i collect it over capture over FMC

Thank you very much.

faruk.zaimovic · ‎05-07-2024

Hello Guys,

@tvotna , @MHM Cisco World thank you very much for help, i had call with Cisco TAC and managed to solve it. I want to share with you, mybe somone can be useful.

We make tcp-state-bypass to my ip addres, and it solve problem. i knew for tcp-state-bypass from cisco ASA, but I didnt know how to configure it . I tried it over flex config and it didnt accept that command.

it is configured through FMC. Policies -->More--->Advanced Settings--> Threat Defense Service Policy

tvotna · ‎05-07-2024

Ok, but we don't understand how this could help. If tcp-state-bypass is configured, inspection ("inspect ftp") is also disabled and hence NAT doesn't translate payload of the packet (PASV reply in this case). Perhaps we're missing something obvious here which is our fault.

MHM Cisco World · ‎05-07-2024

can you help us more can you check the Green statement below