08-17-2012 12:28 AM
hi guys, i had this weird issue.
I got a public IP for FTP mapped to an internal IP.
On local area network i'm able to ping the private IP of the FTP without a problem.
Internet connection is stable but i'm not able to ping the public IP of the FTP.
I tried other workstation also has the same problem, but intermittenly i'm able to ping FTP public IP.
I tried to ping the public IP of the FTP on DMZ without a problem.
I tried to ping on the FTP server itself to its public IP without a problem, but I don't understand why other workstation on the network is not able to connect and ping.
There is no restriction set on my NS 50 Firewall and ping is permitted on the policy.
I'm running out of ideas why this is happening, DMZ can ping outside the LAN can ping but internally not able to ping.
any help is greatly appreciated. thanks.
08-17-2012 01:02 AM
hello guys, i had done a tracert FTP.Public.IP it stops at the gateway (NS 50 Firewall)
but i don't have any policy settings set to block the FTP, i can connect to the FTP using private IP.
and the weird thing is, although i cannot tracert on my workstation but when I ping on the DMZ it's okay.
i really don't know what's going on, please help guys.
08-17-2012 03:03 AM
Have you done a debug flow basic while you are trying to ping? It might tell you why the traffic is being dropped.
08-17-2012 03:50 AM
Can you confirm if the address translation is taken care of.
Also, how about pinging the public ip from the firewall CLI.
ping public.ip from <trust-interface>
If the first one works and second does not then probably the route/polcy lookup is causing some trouble.
If you can share the relevant config, I can take a look.
08-17-2012 03:51 AM
I agree with Stac. This is the next step. This will follow the packet through the whole flow process and identify why and where it does not succeed.
DEBUG FLOW BASIC :
Prepare the tool
1. undebug all - we are assuring that the debug utility is not already running.
2. get ffilter - we would expect to get no response. This tells us we have not set up any flow filters as of yet. If you should see filters listed you can delete them with unset ffilter.
Setup the capture
3. set ffilter src-ip x.x.x.x(computer A) dst-ip x.x.x.x(computer B)
set ffilter src-ip x.x.x.x(Computer B) dst-ip x.x.x.x(computer A) by doing this we can observe the packets flowing in each direction and where any possible problems may be. Basically we want to define the end points of communication.
Capture the traffic
5. clear db - this will clear the debugging cache.
6. debug flow basic - this turns the debugging utility on.
7. initiate the traffic you are interested in capturing.
Pull the data
8. undebug all - turns the utility back off.
9. get db stream - this is the actual packet capture output that we want.
Remove the setup
10.unset ffilter 0 - this will need to be done twice, once for each filter that we set up earlier.
11.clear db - this will clear the cache.
08-21-2012 04:00 AM
Sorry, I didn't read you message closely enough the first time. You can connect to the public address of a server that is NAT to a private address on the same firewall (hairpinning).
I have a sample configuration in the library. The process places the public ip address into the trust zone and then creates two policies. One for external access the second for internal access. I have deployed the method many times and it does work for both internal and external access to the public address.