FTP Passive Mode on Different Port

Posted on 2005-03-09
Medium Priority
Last Modified: 2008-01-09
Hey everyone! I'm having a little problem and was wondering if anyone can help.

Here's what I have set up, i have an FTP on port 21 that works excellent. Its Passive, so after connecting, it connects to a port in the 24XXX range. I wanted a seperate FTP to run off of port 1773. When I connect to that port, it logs in and everything, but then creates a PASV command using a LOCAL ip.

It connects and authenticates to then says this:

            227 Entering Passive Mode (192,161,0,9,13,206).
STATUS:>        Connecting FTP data socket

How can i get it to create a passive connection using the EXTERNAL ip? Again, the FTP on port 21 creates a passive connection (using PASV command) using the EXTERNAL ip. Why does it change when i try to change the port?

Thank you!
Question by:bick2000
  • 2
  • 2
LVL 34

Accepted Solution

Dave_Dietz earned 2000 total points
ID: 13502781
I think you forgot to tell us you have a NAT device of some sort in front of the FTP server.....  ;-)

IIS 6.0 FTP will *always* respond to a PASV command with the IP address of the interface that it received the request on.  If it receives the request on IP it will send back in the 227 response (shows up as 10, 0, 0, 5, high, low).

Your NAT device is watching traffic on port 21 and properly translating the IP in the 227 response to the external IP address and everything is working properly.  Unfortunately unless you can configure your NAT device to also expect FTP command channel traffic on port 1773 it will not know to watch for 227 responses and will not translate them properly.

I would be willing to bet money that if you move the 'working' site to a different port for testing it will show the same symptoms as the one currently failing.

Short answer - you're probably out of luck unless you have or are going to buy an expensive NAT/Firewall device that you can configure to watch for FTP on port 1773 and translate it accordingly.

Dave Dietz

Author Comment

ID: 13511110
Ok, I guess that makes sense... Is there no way around this?


LVL 34

Expert Comment

ID: 13513855
Only ways around it would be to use a different non-RFC compliant FTP serverthat allows you to hardcode the 227 response or to get a different firewall.

Sucks, but this is happening more and more often with firewalls and NAT devices springing up everywhere.....

Dave Dietz

Author Comment

ID: 13514195
ok thanks for the help


Featured Post

[Webinar] Database Backup and Recovery

Does your company store data on premises, off site, in the cloud, or a combination of these? If you answered “yes”, you need a data backup recovery plan that fits each and every platform. Watch now as as Percona teaches us how to build agile data backup recovery plan.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Learn about cloud computing and its benefits for small business owners.
While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
Integration Management Part 2
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…

569 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question