Solved

FTP Active, w/Firewall

Posted on 2003-11-18
10
776 Views
Last Modified: 2013-11-29
I am running a CuteFTP server behind a SonicWall Firewall.  All of my clents can connect to my FTP server and send files, except one.  I am not sure if the others are using passive or active, but I know that this one can only use active (because that is all their DOS and UNIX clients support).  Any rate, they can log in, but basically nothing else, not even LS.  They were able to use our third party ftp server, which was hosted on a public IP, but this one, like I said, is behind our SonicWall, which we have opened up for FTP.  I can connect to this server fine from home from behind my Netgear Cable-Router/Firewall with active ftp.  
I can replicate this problem by ftping to my server via the public address to it from my LAN (the server is in the DMZ).  Am I missing something?  shouldn't active work?
0
Comment
Question by:jagoodie
  • 3
  • 3
  • 3
  • +1
10 Comments
 
LVL 7

Expert Comment

by:Robing66066
ID: 9771401
Did you open port 20 on both sides?  Being able to log into an FTP server but not do anything is a classic symptom of missing port 20.
0
 
LVL 7

Expert Comment

by:Robing66066
ID: 9771405
(That would include on her equipment as well)
0
 
LVL 7

Expert Comment

by:Robing66066
ID: 9771406
(That would include on her equipment as well)
0
 
LVL 3

Expert Comment

by:_tack
ID: 9771466
As far as I know, the passive FTP has been created as workaround to some firewall.

FTP active:
- control connection is build from client  (client connects to FTP server)
- data connection is build from server (FTP Server connects to client).
Do you allow building connections from your DMZ zone to outside world ?, does the client side have a firewall ?
check with other non firewalled ftp servers.

FTP passive:
- control connection is build from client
- data connection is build from client
Normally you need a stateful inspection firewall, that allows incoming connections on
particular ports as connections are established.
0
 
LVL 35

Expert Comment

by:ShineOn
ID: 9771906
Active FTP needs both port 20 and 21.  One for control, the other for data.
0
Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

 
LVL 35

Expert Comment

by:ShineOn
ID: 9771930
One classic issue for having an FTP server behind a firewall is the NAT issue.  With active FTP, interaction to establish a link includes the IP address of the server.  If your FTP server is NATted, then the active client will become confused as to where the data should be sent.
0
 
LVL 2

Author Comment

by:jagoodie
ID: 9781532
Yes, this server is NATed.  The server has a section for entering in the public IP for Passive transfers, but not Active... shouldnt it?  
Is the only way to do this to put the server on the public IP address?  That just isn't acceptable... we have SSN's in our files being uploaded..
0
 
LVL 35

Accepted Solution

by:
ShineOn earned 500 total points
ID: 9782686
Can you put an FTP proxy on your firewall?  FTP Proxy will likely work where NAT will fail, and is much more secure anyway.
0
 
LVL 2

Author Comment

by:jagoodie
ID: 9788513
i wish.. no sonicwall doesn't have that feature.  we wouldnt have to use nat, but our isp gave us non consecutive IPs, so we have a suboptimal configuration
0
 
LVL 2

Author Comment

by:jagoodie
ID: 10859436
The problem was because our ISP had given us non-consecutive IP addresses, and the NAT on the sonicwall didn't want to use the same gateway for a different network.  Compex.. but we had them change our addresses to be consecutive, and all is well now.
Thanks for your help.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
I had an issue with InstallShield not being able to use Computer Browser service on Windows Server 2012. Here is the solution I found.
Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now