Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

FTP Active, w/Firewall

Posted on 2003-11-18
10
Medium Priority
?
790 Views
Last Modified: 2013-11-29
I am running a CuteFTP server behind a SonicWall Firewall.  All of my clents can connect to my FTP server and send files, except one.  I am not sure if the others are using passive or active, but I know that this one can only use active (because that is all their DOS and UNIX clients support).  Any rate, they can log in, but basically nothing else, not even LS.  They were able to use our third party ftp server, which was hosted on a public IP, but this one, like I said, is behind our SonicWall, which we have opened up for FTP.  I can connect to this server fine from home from behind my Netgear Cable-Router/Firewall with active ftp.  
I can replicate this problem by ftping to my server via the public address to it from my LAN (the server is in the DMZ).  Am I missing something?  shouldn't active work?
0
Comment
Question by:jagoodie
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 3
  • +1
10 Comments
 
LVL 7

Expert Comment

by:Robing66066
ID: 9771401
Did you open port 20 on both sides?  Being able to log into an FTP server but not do anything is a classic symptom of missing port 20.
0
 
LVL 7

Expert Comment

by:Robing66066
ID: 9771405
(That would include on her equipment as well)
0
 
LVL 7

Expert Comment

by:Robing66066
ID: 9771406
(That would include on her equipment as well)
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 3

Expert Comment

by:_tack
ID: 9771466
As far as I know, the passive FTP has been created as workaround to some firewall.

FTP active:
- control connection is build from client  (client connects to FTP server)
- data connection is build from server (FTP Server connects to client).
Do you allow building connections from your DMZ zone to outside world ?, does the client side have a firewall ?
check with other non firewalled ftp servers.

FTP passive:
- control connection is build from client
- data connection is build from client
Normally you need a stateful inspection firewall, that allows incoming connections on
particular ports as connections are established.
0
 
LVL 35

Expert Comment

by:ShineOn
ID: 9771906
Active FTP needs both port 20 and 21.  One for control, the other for data.
0
 
LVL 35

Expert Comment

by:ShineOn
ID: 9771930
One classic issue for having an FTP server behind a firewall is the NAT issue.  With active FTP, interaction to establish a link includes the IP address of the server.  If your FTP server is NATted, then the active client will become confused as to where the data should be sent.
0
 
LVL 2

Author Comment

by:jagoodie
ID: 9781532
Yes, this server is NATed.  The server has a section for entering in the public IP for Passive transfers, but not Active... shouldnt it?  
Is the only way to do this to put the server on the public IP address?  That just isn't acceptable... we have SSN's in our files being uploaded..
0
 
LVL 35

Accepted Solution

by:
ShineOn earned 2000 total points
ID: 9782686
Can you put an FTP proxy on your firewall?  FTP Proxy will likely work where NAT will fail, and is much more secure anyway.
0
 
LVL 2

Author Comment

by:jagoodie
ID: 9788513
i wish.. no sonicwall doesn't have that feature.  we wouldnt have to use nat, but our isp gave us non consecutive IPs, so we have a suboptimal configuration
0
 
LVL 2

Author Comment

by:jagoodie
ID: 10859436
The problem was because our ISP had given us non-consecutive IP addresses, and the NAT on the sonicwall didn't want to use the same gateway for a different network.  Compex.. but we had them change our addresses to be consecutive, and all is well now.
Thanks for your help.
0

Featured Post

Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will inform Clients about common and important expectations from the freelancers (Experts) who are looking at your Gig.
A 2007 NCSA Cyber Security survey revealed that a mere 4% of the population has a full understanding of firewalls. As business owner, you should be part of that 4% that has a full understanding.
Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Suggested Courses

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question