Link to home
Start Free TrialLog in
Avatar of goodj
goodj

asked on

Cannot connect to FTP sites requiring a login and password

All clients are getting an error 521 when trying to login to any ftp site on the internet that requires a password.

I am running a single Windows server 2003
DHCP
DNS
Routing and remote access
NAT
Basic firewall on the internet side

The ftp software is returning the private ip address 192.168......

It seems I'm missing something basic in my configuration of Routing and remote access.
Is there not a simple method to ensure ip addresses are converted from private to public when sent out to the internet
and converted back to the appropriate private ip address on return?

Thanks!
Goodj
Avatar of Pete Long
Pete Long
Flag of United Kingdom of Great Britain and Northern Ireland image

>>Basic firewall on the internet side

OK how is it set up? is it optimised for active or passive FTP?

Passive and Active FTP

There are two types of FTP (File Transfer Protocol) these are Active and Passive

Active FTP

Pros (good for network administrators)
Cons (not so good for the client)

The FTP server will try and make a connection on a lot of high port numbers (these could well be blocked on the clients side Firewall)


Passive FTP

Pros (good for the client)
Cons (Not good for the network administrators)

The client makes the connection to the FTP server, and one will be a high port number that will almost certainly be blocked by the network firewall (server side)


Solution

To strike a happy medium, administrators can make their FTP servers available to many clients by supporting passive FTP; reserving a range of port numbers does this, in this way all other ports can be firewalled, thus decreasing the security risk

Luckily, there is somewhat of a compromise. Since administrators running FTP servers will need to make their servers accessible to the greatest number of clients, they will almost certainly need to support passive FTP. Specifying a limited port range for the FTP server to use can minimize the exposure of high-level ports on the server. Thus, everything except for this range of ports can be firewalled on the server side. While this doesn't eliminate all risk to the server, it decreases it tremendously. See Appendix 1 for more information.

*****Links*****
http://slacksite.com/other/ftp.html
http://www.cisco.com/en/US/about/ac123/ac147/ac174/ac199/about_cisco_ipj_archive_article09186a00800c85a7.html

*********Also*************

Are your clients accessing FTP sites through their browser? if so do you have a proxy server?
As you are running RRAS and NAT you have a multihomed server. If possible configure your FTP software to listen to only the internet side IP.
Or configure your NAT to forward FTP from internet to the server's private address.

hope this helps
Avatar of sloopeth
sloopeth

stupid answer please ignore if annapropriate - is this machine an sbs or domain controller? if so try the domain\username for the ftp site username - i saw this on a similar post with the same problem.
Avatar of goodj

ASKER

Thanks for all your input.  Wound up on the phone with Microsoft on this one for over 9 hours.  They discovered that this is actually a bug in Windows Server 2003 with NAT on a multi-homed DC.  The fix is going to be included in SP1.
I disabled NAT, Routing and Remote Access & the 2nd NIC on the server.  Set up NAT on my firewall instead.  All is now working.
Mods - I had trouble with this one. I suggested PAQ/No Refund as the asker has answered himself, but has not requested a closure in the CS forum, despite a hint to a fortnight ago.
ASKER CERTIFIED SOLUTION
Avatar of PAQ_Man
PAQ_Man
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial