Re: copy ftp consol command fails to connect over site-to-site V

KMinev7171 · ‎02-20-2014

I’m trying to run CLI copy to FTP server that sits on the other side of a site-to-site VPN. I can FTP just fine from eny PC on the 192.168.30.0 to 192.168.2.0 network via VPN.

Remote ASA IP over VPN is 192.168.2.1, FTP server is 192.168.2.12

This is print out from the ASA with IP 192.168.30.1

PKMDPAASA# ping inside 192.168.2.12

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.2.12, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms

PKMDPAASA# copy running-config ftp://192.168.2.12/rc.txt

Source filename [running-config]?

Address or name of remote host [192.168.2.12]?

Destination filename [rc.txt]?

Cryptochecksum: a96e0400 a16c45bf 38462fd8 91b925e1

%Error opening ftp://192.168.2.12/rc.txt (Permission denied)

PKMDPAASA#

from 192.168.2.1 ASA copy to FTP 192.168.2.1 works fine as expected.

Jan Rolny · ‎02-20-2014

Hi,

have you checked ACL? If ping works fine so routing seems works well so maybe you have wrong ACL.

Also please check if local firewall on machine where FTP is running is turned off.

Best regards,

Jan

KMinev7171 · ‎02-20-2014

Thank you for the quick response.

Windows Firewall On/Off on FTP server doesn't make any difference.

From the log a copy from the ASA is trying to open FTP connection for outside that looks like TCP connection for outside:192.168.2.xx/21 to identity:aa.bb.cc.dd/49124 ..... where aa.bb.cc.dd is my public IP. This doesn’t look right. Since the ASA outside interface is the VPN end point perhaps this is not even possible. There isn't a command copy inside ........ to choose the interface to initiate the copy from. Am I missing something?

If I do FTP from a PC on the ASA it opens TCP connection for outside: 192.168.2.xx/21 to inside 192.168.30.xx/1159. Looks right and works just fine.

copy ftp consol command fails to connect over site-to-site VPN