Using SSL FTP Through Netgear 318 Firewall

I'm having a difficult time using my Netgear FVS318 in conjunction with SSL ftp.  The outside users can successfully connect (user name, password, etc.), but are time out when the SSL ftp tries to establish the data channel.  I know that NAT and encrypted traffic are involved here and that the firewall is blocking it.  The ports are definately open on the netgear.  Is there a way that I can get it working without removing the netgear?  

Also, I tried the "CCC" option on the client ftp desktops with no results.
Who is Participating?
giltjrConnect With a Mentor Commented:
Generally you need to have a server and a client that support either the CCC or the EPSV command.  For most "stupid" filrewalls on the server side, EPSV should work and then you need to configure the server to only use specific ports for SSL'ed FTP.  Then configure the firewall allow inbound connections to that range of ports.  The client side should not need anything done as it will make the connection outbound.

If you have "smart" firewalls, then CCC would be better.  Smart firewalls will monitor the ftp control sessions and dynamically create rules for the data sessions.  The CCC option tells the server to issue the port command in clear text so that the firewalls can see it.

On a normal PORT command when in PASV mode the server tells the client the IP address and port to connect to.  When doing non-SSL'ed ftp, the firewall will see this and convert the IP address to the NAT'ed address.  However when this is encrypted, the firewall can't do this and passes the port command through.  The client will try using the non-nated address, which of course will not work.  With the EPSV command, only the port number is passed and the client will use the same address for the data connection as it is using for the control/command connection.

I have heard, but can't remember which one it was, that there is at least on client that when using SSL'ed FTp it will accecpt a normal PORT command, but it ignores the IP address in the PORT command and uses the IP address it is connected to on the control/command session.  I will try and find out what client it is.
What I would suggest, assuming your ftp server supports it, is setting up a specific port range for passive FTP.  Then configuring your firwall to allow through all traffic to that port range to your ftp server.


how do you know what you know?

what ports do you have open on the firewall and on the ftp server?

what kinds of logs are generated when a user tryies to connect? on the server? on the firewall?

this should be a pretty simple problem to troubleshoot, but i like to get the big picture.

there is a big difference between Secure FTP and FTP over SSL, my preference is FTP over SSL because you only need one port open (SSH).

hope tis helps

Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

Umm I a bit confused.  Did you mean to say "my preference is ftp over SSH"

FTP over SSL is normal FTP encrypted with SSL, it needs a command/control port and a data transfer port.  So you need two ports.

SSH'ed FTP only needs one port.  

Some places will say the "Secure FTP" is SSH'ed FTP, some sites say it is FTP SSL'ed, and some just say its ftp (or ftp like) encrypted.
you are right giltjr, my preference is to use ftp over ssh, actually i use scp which is essentially just that...

if memory serves, an interesting point is that with SFTP the data being transmitted is encrypted but the authentication process is not.

bhungerAuthor Commented:
Sorry about delayed update.  Out of town.

Well, it's an unbelievably vexing situation.  It turns out that the NAT on the client side weas the issue.  We removed the firewall here entirely and were getting the same.  IE., we were using the wan ip directly with no firewall-just to test the connection.  Same error, authentication would success, but the client could not successfully utilize the subsequent data port (yes, we tested specific ranges, etc.) The client was timing out while trying to read the ftp directory.  Ipswitch tech support sort of confirmed.  Setting up a SSL ftp config between two NAT networks is VERY problematic.

Unless anyone has actually accomplished this and can advise, we're going to switch to software based MSFT VPN, then utilize standard ftp (over the established vpn).

have you tried WinSCP as the client app?
bhungerAuthor Commented:
No,  haven't tried it.  I've tried Coreftp LE.  

Again, I took the server side firewall and NAT completely out of the picture and got the same error.

I also tried a product (or protocol) called EFTP (encrypted ftp).  I installed the server on the server and tried the client from outside the network.  Same result- the client COULD log on , but couldn't see the file listing.

bhungerAuthor Commented:
I've got it working.  The problem was not an open port issue (I opened the appropriate ports early on).  The issue turned out to be client firewalls on the client pcs.  Norton firewall and zone alarm will sometimes inhibit certain types of traffic, EVEN when they're turned off.

Thanks everybody.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.