NAT Issues - Windows 2000 FTP Server
We have a customer that has a Cisco 806 router and a public subnet (/29 block). Our setup is using NAT with specific ports from specific IP's mapped to internal addresses.
The setup works fine for port 80, 25 etc... with the Windows 2000 servers handling email, web etc...
My problem arrises with FTP server. The customer runs their FTP on non-standard ports. Actually he assigns each customer their own port (can't change this at this time). So customer ABC has port 1216 on IP x.x.x.x for example.
When I do a test connection I get this type of output:
[root@server log]# ftp
ftp> open hostname.com
ftp: connect: Connection refused
ftp> open hostname.com 1216
Connected to hostname.com (123.123.123.123).
220 host Microsoft FTP Service (Version 5.0).
Name (hostname.com:root): sparks
331 Password required for sparks.
Password:
230 User sparks logged in.
Remote system type is Windows_NT.
ftp> dir
227 Entering Passive Mode (10,100,1,147,12,186).
ftp: connect: Connection timed out
As you can see, it appears that the server behind the NAT is trying to send back to me on a private IP address verus coming back to me on the public IP I actually connected on? We have NAT'ed FTP servers at a lot of other customer sites using standard 20/21 ports and don't have this issue at all? Am I missing something on the mapping?. at the other sites we only map port 21 out, nothing else...
I have to get this resolved ASAP so hoping for quick assistance (hence why offering a lot of points)
Thanks for your time,
Paul
The setup works fine for port 80, 25 etc... with the Windows 2000 servers handling email, web etc...
My problem arrises with FTP server. The customer runs their FTP on non-standard ports. Actually he assigns each customer their own port (can't change this at this time). So customer ABC has port 1216 on IP x.x.x.x for example.
When I do a test connection I get this type of output:
[root@server log]# ftp
ftp> open hostname.com
ftp: connect: Connection refused
ftp> open hostname.com 1216
Connected to hostname.com (123.123.123.123).
220 host Microsoft FTP Service (Version 5.0).
Name (hostname.com:root): sparks
331 Password required for sparks.
Password:
230 User sparks logged in.
Remote system type is Windows_NT.
ftp> dir
227 Entering Passive Mode (10,100,1,147,12,186).
ftp: connect: Connection timed out
As you can see, it appears that the server behind the NAT is trying to send back to me on a private IP address verus coming back to me on the public IP I actually connected on? We have NAT'ed FTP servers at a lot of other customer sites using standard 20/21 ports and don't have this issue at all? Am I missing something on the mapping?. at the other sites we only map port 21 out, nothing else...
I have to get this resolved ASAP so hoping for quick assistance (hence why offering a lot of points)
Thanks for your time,
Paul
ASKER
Thanks for the info... we're on the right track but I'm still puzzled..:)
Yes, have statically mapped the ports and you can connect but then a DIR or LS times out... how did you do the port 20 entry? I tried "natting" out the port 20 back to the box but with no luck...
I have noticed that 227 Entering Passive Mode (10,100,1,147,12,186) has the private IP address but if we get the customer to let us run port 21 (which we did as a test this morning) I see the real world IP address and things work fine....
Thanks,
Paul
Yes, have statically mapped the ports and you can connect but then a DIR or LS times out... how did you do the port 20 entry? I tried "natting" out the port 20 back to the box but with no luck...
I have noticed that 227 Entering Passive Mode (10,100,1,147,12,186) has the private IP address but if we get the customer to let us run port 21 (which we did as a test this morning) I see the real world IP address and things work fine....
Thanks,
Paul
Well what I noticed when I tried it, it timed out out also on 'dir' until I allowed port 20 from server to client (any port). Have you tried using other ftp clients also. Try to put one in PASSIVE mode to see if that works.
GR
GR
ASKER
Hmm.. I'm trying to see what I can do to fix this on the Cisco side...
I'm not blocking any ports from the server to the world via the router... have tried other clients (was using a linux box) such as CuteFTP and with it (running passive) I can login and get directory lists but can't do transfers... just a bunch of port errors....
I believe the customer is going to setup a different FTP package now since quite honestly the IIS FTP service sucks..:)
I'm not blocking any ports from the server to the world via the router... have tried other clients (was using a linux box) such as CuteFTP and with it (running passive) I can login and get directory lists but can't do transfers... just a bunch of port errors....
I believe the customer is going to setup a different FTP package now since quite honestly the IIS FTP service sucks..:)
You should be good on your router side. However what about the clients? Firewalls? When you tested this were you on the same network as the server or were you outside of it?
GR
GR
ASKER
Outside of it behind other firewalls normally... at our main office we are behind a PIX connecting out to this customer over DSL to their Cisco router that we supply.. behind the router is their servers via NAT...
One thing I'm researching is IIS FTP service and whether or not you can force it to talk passive mode only... it seems that it's still trying to run in an active mode all the time.. could be wrong..
Paul
One thing I'm researching is IIS FTP service and whether or not you can force it to talk passive mode only... it seems that it's still trying to run in an active mode all the time.. could be wrong..
Paul
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Yes, we have a number of linux ftp servers in behind natted cisco routers with no issues which makes me think it's an IIS issue. Customer is going to move to WarFTP I believe now which we've ran as well and no problems..
Thanks for taking the time to answer my questions and try to assist.
Paul
Thanks for taking the time to answer my questions and try to assist.
Paul
GR