Solved

FTP Problem - Connection closed by remote host

Posted on 2004-10-04
16
834 Views
Last Modified: 2009-02-18
Hi All,

I have a problem with FTP connection. I have IIS 5.0 with a FTP site. I can connect to the FTP Server when connected to the local network in my office. But, when I connect to the internet out of office, say using dial-up, I cannot connect to the FTP Server. When I go to command prompt and type ftp www.domain.com, I get the following error message:

connected to www.domain.com
connection closed by remote host

Any suggestions? Thanks in advance.
0
Comment
Question by:consistel
  • 6
  • 5
  • 2
  • +2
16 Comments
 
LVL 3

Assisted Solution

by:cagri
cagri earned 125 total points
ID: 12215483
Dear Consistel;

Problem is being observerved only from the external clients makes me think that it is most probably caused by firewall settings or the company. Please have those checked by your system administrator.

Also, the security tab of IIS worth to be checked.

Hope this helps,
0
 

Author Comment

by:consistel
ID: 12215550
Hi,

My firewall settings says the following:

conduit permit tcp host XXX.XXX.XXX.69 eq www any
conduit permit tcp host XXX.XXX.XXX.69 eq pop3 any
conduit permit tcp host XXX.XXX.XXX.69 eq smtp any
conduit permit tcp host XXX.XXX.XXX.69 eq ldap any
conduit permit tcp host XXX.XXX.XXX.69 eq https any
conduit permit tcp host XXX.XXX.XXX.69 eq 995 any
conduit permit tcp host XXX.XXX.XXX.70 eq ftp any

For all the other services, xxx.xxx.xxx.69 (DC) is assigned, but for FTP, xxx.xxx.xxx.70 (Another Win2k Server, not DC) is assigned. But, the FTP Server is in the DC. Is this part wrong? Should I change it?

Thanks.
0
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 125 total points
ID: 12216347
You would have to post your complete PIX config.
Do you have fixup ftp enabled?
What version PIX OS?
You might need to add a conduit for ftp-data

conduit permit tcp host XXX.XXX.XXX.70 eq ftp-data any
0
 
LVL 15

Expert Comment

by:Cyber-Dude
ID: 12216459
access-list outside_in permit tcp any host xxx.xxx.xxx.xxx 255.255.255.255 eq ftp

(thank to cagri as well)

Cyber
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12216471
Cyber,
you can't use both access-list and conduits at the same time...

- Cheers!
0
 
LVL 15

Expert Comment

by:Cyber-Dude
ID: 12216491
Irmoore, I should have refreshed... You are absolulu right...

:)

Cyber
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12216504
That's one reason I quit using QP a long time ago...
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 

Author Comment

by:consistel
ID: 12223225
Hi,

We use PIX 506E version. I added following conduit:

conduit permit tcp host XXX.XXX.XXX.70 eq ftp-data any

It did not work :(

I have given the current config of PIX below:

fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521

access-list inside_access_in permit ip any any
access-list inside_outbound_nat0_acl permit ip any 192.168.3.0 255.255.255.0
access-list outside_cryptomap_dyn_20 permit ip any 192.168.3.0 255.255.255.0
access-list outside_cryptomap_20 permit ip domain.com 255.255.255.0 domain

conduit permit tcp host XXX.XXX.XXX.69 eq www any
conduit permit tcp host XXX.XXX.XXX.69 eq pop3 any
conduit permit tcp host XXX.XXX.XXX.69 eq smtp any
conduit permit tcp host XXX.XXX.XXX.69 eq ldap any
conduit permit tcp host XXX.XXX.XXX.69 eq https any
conduit permit tcp host XXX.XXX.XXX.69 eq 995 any
conduit permit tcp host XXX.XXX.XXX.70 eq ftp any
conduit permit tcp host XXX.XXX.XXX.70 eq pptp any
conduit deny udp any eq 1434 any
conduit deny tcp any eq 135 any
conduit deny tcp any eq 4444 any
conduit deny udp any eq tftp any
conduit permit icmp any any echo-reply
conduit permit tcp host XXX.XXX.XXX.70 eq ftp-data any
outbound   1 permit 0.0.0.0 0.0.0.0 8 icmp
apply (inside) 1 outgoing_src
route outside 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XX 1


Any more ideas? Thanks.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12223251
What about your statics?

suggest removing the apply (inside) line

0
 

Author Comment

by:consistel
ID: 12223284
Hi lrmoore,

Thanks, my statics are given below:

global (outside) 1 XXX.XXX.XXX.71
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) XXX.XXX.XXX.69 192.168.0.10 netmask 255.255.255.255 0 0
static (inside,outside) XXX.XXX.XXX.70 192.168.0.15 netmask 255.255.255.255 0 0

Should I go ahead and remove: apply (inside) 1 outgoing_src line?

Thanks.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12223527
It won't hurt to remove the apply while troubleshooting..
0
 

Author Comment

by:consistel
ID: 12223972
Hi,

Already removed "apply (inside) 1 outgoing_src" line. Still the same :(

Could it be any other settings other than firewall, anything to do in IIS settings?

Thanks for your help.
0
 

Author Comment

by:consistel
ID: 12224527
Hi,

I also found out the following things. Could be useful for you ppl:

When connected to the local office network:

ftp www.domain.com    -         Working
ftp "IP Address of domain" -     Not working (Error: Connected to IP address, then Connection closed by remote host)
http://www.domain.com -        Working
http://"IP Address of domain" - Not working (Error: 404 - File not found)

When connected to internet (Dial-up, out of office network):

ftp www.domain.com    -         Not working (Error: Connected to www.domain.com, then Connection closed by remote host)
ftp "IP Address of domain" -     Not working (Error: Connected to IP address, then Connection closed by remote host)
http://www.domain.com -        Working
http://"IP Address of domain" - Not working (Error: 404 - File not found)

Anything to do with name resolution? Please help.
0
 
LVL 23

Accepted Solution

by:
Tim Holman earned 250 total points
ID: 12260880
Is your ISS server seeing these packets ?
If you issue netstat -an roundabout the same time you initiate a connection from an ISP - is the external IP listed ?
From an IIS perspective, which IP address is assigned to the WWW and FTP sites ?  Is it definitely the 192.168.0.15 one ?

Internet
|
xx.xx.xx.70
PIX
192.168.0.1
|
192.168.0.15
IIS / FTP

If things look as they do above, then the conduit and NAT statements look correct.  You could always do a 'show xlate' on the PIX to check things are being translated properly.

My other trick would be to setup packet capturing on the IIS server, or setup event logging so that you know for sure you're hitting the right box.

Also, from the inside - if you do ping -a www.domain.com, does this turn up a different IP address than when you ftp {ip address} ?
0
 

Author Comment

by:consistel
ID: 12678052
Hi All,

I was able to fix the problem. It was the firewall settings. The IP address of the FTP Server was incorrect in the firewall. Almost broke my head before finding this. Thanks for all your help. I love all of you experts in exchanging your ideas to help me fix the issues I face in day to days work. Thanks again!
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now