• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 272
  • Last Modified:

Cannot connect to FTP sites requiring a login and password

All clients are getting an error 521 when trying to login to any ftp site on the internet that requires a password.

I am running a single Windows server 2003
DHCP
DNS
Routing and remote access
NAT
Basic firewall on the internet side

The ftp software is returning the private ip address 192.168......

It seems I'm missing something basic in my configuration of Routing and remote access.
Is there not a simple method to ensure ip addresses are converted from private to public when sent out to the internet
and converted back to the appropriate private ip address on return?

Thanks!
Goodj
0
goodj
Asked:
goodj
1 Solution
 
Pete LongConsultantCommented:
>>Basic firewall on the internet side

OK how is it set up? is it optimised for active or passive FTP?

Passive and Active FTP

There are two types of FTP (File Transfer Protocol) these are Active and Passive

Active FTP

Pros (good for network administrators)
Cons (not so good for the client)

The FTP server will try and make a connection on a lot of high port numbers (these could well be blocked on the clients side Firewall)


Passive FTP

Pros (good for the client)
Cons (Not good for the network administrators)

The client makes the connection to the FTP server, and one will be a high port number that will almost certainly be blocked by the network firewall (server side)


Solution

To strike a happy medium, administrators can make their FTP servers available to many clients by supporting passive FTP; reserving a range of port numbers does this, in this way all other ports can be firewalled, thus decreasing the security risk

Luckily, there is somewhat of a compromise. Since administrators running FTP servers will need to make their servers accessible to the greatest number of clients, they will almost certainly need to support passive FTP. Specifying a limited port range for the FTP server to use can minimize the exposure of high-level ports on the server. Thus, everything except for this range of ports can be firewalled on the server side. While this doesn't eliminate all risk to the server, it decreases it tremendously. See Appendix 1 for more information.

*****Links*****
http://slacksite.com/other/ftp.html
http://www.cisco.com/en/US/about/ac123/ac147/ac174/ac199/about_cisco_ipj_archive_article09186a00800c85a7.html

*********Also*************

Are your clients accessing FTP sites through their browser? if so do you have a proxy server?
0
 
jhautaniCommented:
As you are running RRAS and NAT you have a multihomed server. If possible configure your FTP software to listen to only the internet side IP.
Or configure your NAT to forward FTP from internet to the server's private address.

hope this helps
0
 
sloopethCommented:
stupid answer please ignore if annapropriate - is this machine an sbs or domain controller? if so try the domain\username for the ftp site username - i saw this on a similar post with the same problem.
0
Transaction-level recovery for Oracle database

Veeam Explore for Oracle delivers low RTOs and RPOs with agentless transaction log backup and transaction-level recovery of Oracle databases. You can restore the database to a precise point in time, even to a specific transaction.

 
goodjAuthor Commented:
Thanks for all your input.  Wound up on the phone with Microsoft on this one for over 9 hours.  They discovered that this is actually a bug in Windows Server 2003 with NAT on a multi-homed DC.  The fix is going to be included in SP1.
I disabled NAT, Routing and Remote Access & the 2nd NIC on the server.  Set up NAT on my firewall instead.  All is now working.
0
 
harleyjdCommented:
0
 
harleyjdCommented:
Mods - I had trouble with this one. I suggested PAQ/No Refund as the asker has answered himself, but has not requested a closure in the CS forum, despite a hint to a fortnight ago.
0
 
PAQ_ManCommented:
PAQed with points refunded (500)

PAQ_Man
Community Support Moderator
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now