Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

FTP Problem - Connection closed by remote host

Posted on 2004-10-04
16
Medium Priority
?
844 Views
Last Modified: 2009-02-18
Hi All,

I have a problem with FTP connection. I have IIS 5.0 with a FTP site. I can connect to the FTP Server when connected to the local network in my office. But, when I connect to the internet out of office, say using dial-up, I cannot connect to the FTP Server. When I go to command prompt and type ftp www.domain.com, I get the following error message:

connected to www.domain.com
connection closed by remote host

Any suggestions? Thanks in advance.
0
Comment
Question by:consistel
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
  • 2
  • +2
16 Comments
 
LVL 3

Assisted Solution

by:cagri
cagri earned 500 total points
ID: 12215483
Dear Consistel;

Problem is being observerved only from the external clients makes me think that it is most probably caused by firewall settings or the company. Please have those checked by your system administrator.

Also, the security tab of IIS worth to be checked.

Hope this helps,
0
 

Author Comment

by:consistel
ID: 12215550
Hi,

My firewall settings says the following:

conduit permit tcp host XXX.XXX.XXX.69 eq www any
conduit permit tcp host XXX.XXX.XXX.69 eq pop3 any
conduit permit tcp host XXX.XXX.XXX.69 eq smtp any
conduit permit tcp host XXX.XXX.XXX.69 eq ldap any
conduit permit tcp host XXX.XXX.XXX.69 eq https any
conduit permit tcp host XXX.XXX.XXX.69 eq 995 any
conduit permit tcp host XXX.XXX.XXX.70 eq ftp any

For all the other services, xxx.xxx.xxx.69 (DC) is assigned, but for FTP, xxx.xxx.xxx.70 (Another Win2k Server, not DC) is assigned. But, the FTP Server is in the DC. Is this part wrong? Should I change it?

Thanks.
0
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 500 total points
ID: 12216347
You would have to post your complete PIX config.
Do you have fixup ftp enabled?
What version PIX OS?
You might need to add a conduit for ftp-data

conduit permit tcp host XXX.XXX.XXX.70 eq ftp-data any
0
Will your db performance match your db growth?

In Percona’s white paper “Performance at Scale: Keeping Your Database on Its Toes,” we take a high-level approach to what you need to think about when planning for database scalability.

 
LVL 15

Expert Comment

by:Cyber-Dude
ID: 12216459
access-list outside_in permit tcp any host xxx.xxx.xxx.xxx 255.255.255.255 eq ftp

(thank to cagri as well)

Cyber
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12216471
Cyber,
you can't use both access-list and conduits at the same time...

- Cheers!
0
 
LVL 15

Expert Comment

by:Cyber-Dude
ID: 12216491
Irmoore, I should have refreshed... You are absolulu right...

:)

Cyber
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12216504
That's one reason I quit using QP a long time ago...
0
 

Author Comment

by:consistel
ID: 12223225
Hi,

We use PIX 506E version. I added following conduit:

conduit permit tcp host XXX.XXX.XXX.70 eq ftp-data any

It did not work :(

I have given the current config of PIX below:

fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521

access-list inside_access_in permit ip any any
access-list inside_outbound_nat0_acl permit ip any 192.168.3.0 255.255.255.0
access-list outside_cryptomap_dyn_20 permit ip any 192.168.3.0 255.255.255.0
access-list outside_cryptomap_20 permit ip domain.com 255.255.255.0 domain

conduit permit tcp host XXX.XXX.XXX.69 eq www any
conduit permit tcp host XXX.XXX.XXX.69 eq pop3 any
conduit permit tcp host XXX.XXX.XXX.69 eq smtp any
conduit permit tcp host XXX.XXX.XXX.69 eq ldap any
conduit permit tcp host XXX.XXX.XXX.69 eq https any
conduit permit tcp host XXX.XXX.XXX.69 eq 995 any
conduit permit tcp host XXX.XXX.XXX.70 eq ftp any
conduit permit tcp host XXX.XXX.XXX.70 eq pptp any
conduit deny udp any eq 1434 any
conduit deny tcp any eq 135 any
conduit deny tcp any eq 4444 any
conduit deny udp any eq tftp any
conduit permit icmp any any echo-reply
conduit permit tcp host XXX.XXX.XXX.70 eq ftp-data any
outbound   1 permit 0.0.0.0 0.0.0.0 8 icmp
apply (inside) 1 outgoing_src
route outside 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XX 1


Any more ideas? Thanks.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12223251
What about your statics?

suggest removing the apply (inside) line

0
 

Author Comment

by:consistel
ID: 12223284
Hi lrmoore,

Thanks, my statics are given below:

global (outside) 1 XXX.XXX.XXX.71
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) XXX.XXX.XXX.69 192.168.0.10 netmask 255.255.255.255 0 0
static (inside,outside) XXX.XXX.XXX.70 192.168.0.15 netmask 255.255.255.255 0 0

Should I go ahead and remove: apply (inside) 1 outgoing_src line?

Thanks.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12223527
It won't hurt to remove the apply while troubleshooting..
0
 

Author Comment

by:consistel
ID: 12223972
Hi,

Already removed "apply (inside) 1 outgoing_src" line. Still the same :(

Could it be any other settings other than firewall, anything to do in IIS settings?

Thanks for your help.
0
 

Author Comment

by:consistel
ID: 12224527
Hi,

I also found out the following things. Could be useful for you ppl:

When connected to the local office network:

ftp www.domain.com    -         Working
ftp "IP Address of domain" -     Not working (Error: Connected to IP address, then Connection closed by remote host)
http://www.domain.com -        Working
http://"IP Address of domain" - Not working (Error: 404 - File not found)

When connected to internet (Dial-up, out of office network):

ftp www.domain.com    -         Not working (Error: Connected to www.domain.com, then Connection closed by remote host)
ftp "IP Address of domain" -     Not working (Error: Connected to IP address, then Connection closed by remote host)
http://www.domain.com -        Working
http://"IP Address of domain" - Not working (Error: 404 - File not found)

Anything to do with name resolution? Please help.
0
 
LVL 23

Accepted Solution

by:
Tim Holman earned 1000 total points
ID: 12260880
Is your ISS server seeing these packets ?
If you issue netstat -an roundabout the same time you initiate a connection from an ISP - is the external IP listed ?
From an IIS perspective, which IP address is assigned to the WWW and FTP sites ?  Is it definitely the 192.168.0.15 one ?

Internet
|
xx.xx.xx.70
PIX
192.168.0.1
|
192.168.0.15
IIS / FTP

If things look as they do above, then the conduit and NAT statements look correct.  You could always do a 'show xlate' on the PIX to check things are being translated properly.

My other trick would be to setup packet capturing on the IIS server, or setup event logging so that you know for sure you're hitting the right box.

Also, from the inside - if you do ping -a www.domain.com, does this turn up a different IP address than when you ftp {ip address} ?
0
 

Author Comment

by:consistel
ID: 12678052
Hi All,

I was able to fix the problem. It was the firewall settings. The IP address of the FTP Server was incorrect in the firewall. Almost broke my head before finding this. Thanks for all your help. I love all of you experts in exchanging your ideas to help me fix the issues I face in day to days work. Thanks again!
0

Featured Post

ATEN's HDBaseT Presentation at InfoComm 2017

Hear ATEN Product Manager YT Liang review HDBaseT technology, highlighting ATEN’s latest solutions as they relate to real-world applications during her presentation at the HDBaseT booth at InfoComm 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Short answer to this question: there is no effective WiFi manager in iOS devices as seen in Windows WiFi or Macbook OSx WiFi management, but this article will try and provide some amicable solutions to better suite your needs.
In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

670 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question