[c-nsp] FWSM v2.3 and FTP
varaillon
j.varaillon at cosmoline.com
Tue Jul 24 05:04:43 EDT 2007
Hi,
We had that topology:
Server1,Server2---7200---Server3,Server4
We changed it to that topology:
Server1,Server2---(dmz)---FWSM---(outside)---Server3,Server4
The goal is to use FTP to transfer files (2MBs size) between Server2 and
Server1.
The problem occurs soon after Server2 starts sending data.
As soon as few 100KB have been transferred we get the error message:
"connection reset by peer".
This issue occurs between:
Server3 and Server1
Server3 and Server2
However there is no FTP issue between:
Server3 and Server1
Server4 and Server1
On the FWSM I tried the following but it did not solve the issue:
- ACL permitting everything I/O
- no inspect ftp
- norandomseq on each relevant translation rules
- reload Server1
- restart relevant process on Server2
So we removed back to the former topology:
Server1,Server2---7200---Server3,Server4
...and without doing any reload/restart on any servers, the FTP issue did
not exist any longer.
Since replacing the FWSM by the router 7200 solves the issue and replacing
the 7200 by the FWSM creates the issue, it is clear that the FWSM is the
problem.
But since the ACL allows everything, no inspect is done on FTP and also we
disabled randomized sequence number (in case one server has already a
firewall), what else could be done on the FWSM?
Any suggestions/comments would be welcome.
Thanks!
Christophe
More information about the cisco-nsp
mailing list