FTP problem

I have a sister organization that has set up an FTP site for us to use. I want to be able to FTP files from my machine to theirs.

I can FTP all day long outside of our network. However, behind our ISA firewall, I cannot get traffic to go out. I have created a rule specifically for FTP to allow traffic FROM internal/external/mypc TO internal/external - and moved it to the top of the rule stack. I did read that you also have to rightclick the rule and uncheck the read-only box, which I have done.

I can ping and tracert this address. I can nslookup the website that resolves to this address.

I cannot imagine for the life of me why I cant get FTP traffic to go out. I dont have a firewall on my PC. We also dont have a DMZ nor any machines to put in a DMZ.

I am desperate and open to any suggestions. Thanks.

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

Heero

Does the rule pass both FTP ports?

tiersten

What Heero said. FTP was designed back in the days when NAT and firewalls didn't exist.

FTP uses two ports and has two modes. It has a control port and a data port. The direction of these connections depends on what mode you're in. The control connection is always connected from the client to the server. In active FTP mode then the client will send the server an IP+port to connect to and the server will connect to the client for the data connection. In passive FTP mode then the server will send the client an IP+port to connect to and the client will connect to the server for the data connection.

If you're using NAT then you'll need to do extra translation since the IP and port will be changed by NAT.

Devilsbane

As the others have said, FTP uses both ports 20 and 21.

I like to use telnet to test firewalls. Ping only establishes connectivity, it doesn't use a port.

"telnet 192.168.0.1 20" will send packets to the 192.168.0.1 ip on port 20. If you get a failure message, the packets didn't make it. If you get a blank screen, success.

You can then repeat the same command with port 21. You will need to have the telnet client installed on your workstation for this to work, otherwise you will get a command not found. You can install it in the windows components of add/remove programs.

brad-

Heero wrote: »

Does the rule pass both FTP ports?

Yes. There is a port option on the rule and I specified range 20-21.

brad-

tiersten wrote: »

If you're using NAT then you'll need to do extra translation since the IP and port will be changed by NAT.

Is there anyway to get around that, or do that? Im know enough about routing and networking to get into trouble, but im not an expert.

Devilsbane

brad- wrote: »

Is there anyway to get around that, or do that? Im know enough about routing and networking to get into trouble, but im not an expert.

The only way to get around it would to stop using nat/pat, but that isn't a very good option. There is a workaround for it though, and I remember learning about it. But for the life of me, I couldn't tell you what it was. Never used it, just learned about it.

gosh1976

brad- wrote: »

Is there anyway to get around that, or do that? Im know enough about routing and networking to get into trouble, but im not an expert.

Using passive mode should be all you need to do to get around the NAT problem as far as I know for most situations.

brad-

gosh1976 wrote: »

Using passive mode should be all you need to do to get around the NAT problem as far as I know for most situations.

I tried passive mode in Filezilla, no dice. Besides, I need to be able to script this transfer on a schedule, but i cant do that until i can connect.

brad-

Update:

In case any of you guys run into the same problem, there is an ISACLIENT installable that helps to get around this problem.

Heero

gosh1976 wrote: »

Using passive mode should be all you need to do to get around the NAT problem as far as I know for most situations.

my favorite explaination of passive and active mode ftp

http://slacksite.com/other/ftp.html

passive mode gets around PAT and firewalls that block unknown incoming packets. Passive mode opens up issues on the server side though, bringing the need to allow high number ports on the server.

Anyways, OP, i seem to remember troubleshooting an FTP connection on linux using the ftp -d option to debug the connection attempt. might wanna try that and post the result maybe.

Could also check with the FTP server administrator and make sure passive mode is supported.