Solved

Can not connect to FTP after install of new firewall

Posted on 2007-03-17
11
892 Views
Last Modified: 2013-12-06
We installed a new firewal and now can not connect to any FTP sites.  We get an error 255.  

Any ideas?
0
Comment
Question by:mjimison1956
  • 7
  • 4
11 Comments
 

Author Comment

by:mjimison1956
ID: 18740512
The secure ftp seems to work and within firewall it seems to work.  When we try to run automated scripts that have run for two years with out incident and bring a file in to process from ftp sites we get the following error:  I have put xxxxx in for the ip address for obvious reasons

Processing paused for 60 seconds (Attempt: 3)

  1  ftp> Connected to 216.110.208.85.   2  ftp> OPEN xxxxxxxxxx
  3  Not connected.   4  ftp> USER C0rN3r *******
  5  Not connected.   6  ftp> binary
  7  Not connected.   8  ftp> cd ToTMS
  9  Not connected.   10  ftp> put c:\ecometry\ftproot\TRAVELftp\tmskeycz.zip
  11  Not connected.   12  ftp> put c:\ecometry\ftproot\TRAVELftp\itmavaiz.zip
  13  QUIT


0
 
LVL 57

Expert Comment

by:giltjr
ID: 18740569
Is the new firewall configured to to allow ftp (port 21) out?

Were you using active or passive FTP for the data connections?  Make sure that the firewall is configured to allow those ports out?

If you have access to the old firewall, you should look at its configuration to see how it handled FTP.

Are you supposed to be doing "secured ftp" to with this ftp server?  If so, is is ssh ftp or ftp ssl?
0
 

Author Comment

by:mjimison1956
ID: 18740605
We seem to be able to ftp inside the firewall but nothing from outside where we log in and get or put files.  I am the dba and not an expert on this and of course the network guys say it is the scripts (which have worked for two years until this morning immediately after the firewall change..you know how that is)

I am not sure if active or passive?  Have to find out.  Unless you can tell me a way to check it without the network guys.

It is port 21 for sure.

where would I compare the configuration on old and new or would I not have access to that.  I have root on the unix boxes...  please let me know we are 12 hours behind now on prod processing
0
 

Author Comment

by:mjimison1956
ID: 18740623
From Network guys:

From as best as I can tell, the rules that allow FTP traffic look identical to the ones that were in there before the rebuild.  We are able to connect to SSL Ftp sites, but not unsecured FTP sites.  I’ve left word with Tom to see if he can help walk me through some additional troubleshooting.  I’ll update everyone once I hear back from him
0
 
LVL 57

Accepted Solution

by:
giltjr earned 500 total points
ID: 18740661
Most Unix systems today default to passive.  The only way to really tell is to do a ftp and see which command is used, PORT or PASV after the GET/PUT command is issued.  PORT means active FTP and PASV is for passive.

Did the IP address that is seen at the server side change?  If so, the server side could have ACL setup to only allow specific IP addresses in.
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 

Author Comment

by:mjimison1956
ID: 18740695
I see a PORT after doing a put inside the firewall. So active.

IP address did not change.  When you say server side are you talking about our server side where we are running the script to put the file?  If so where would I find this ACL config file?

I know I am fishing here...but got to hook something.
0
 

Author Comment

by:mjimison1956
ID: 18740728
This is the result of 'put' from my desktop to one of the unix servers.  Not sure this helps.  Can ftp like that but ftp in from remote server gets the error above in my initial post.

From my pc:

ftp> put script.txt
200 PORT command successful.
150 Opening ASCII mode data connection for script.txt.
226 Transfer complete.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 18740799
"Server side" in this case is from the ftp point of view.  So in this case you are the ftp client (even though you may be running the script on a "server") and the remote site is the ftp server (even though the ftp server software may be running on a desktop or another server).

PORT means you are active.  If it was passive you would/should see something like:

227 Entering Passive Mode (x,x,x,x,y,y)

You may want to have them check the type of firewall.  Some firewalls will "snoop" on the command/control session and they will see the port being used for the data connection and then dynamically create a rule that allows the data connection to be established.  Some firewalls must have the ftp data ACL's pre defined.

Also, because of the way active ftp works, the data connection is actually initiated from the ftp server.  The ftp server will use source port 20 and connect to the destination port (your side) that is specified in the port command.

What you may want to try is before you issue the put command issue the command "passive".  Hopefully this may put your ftp client in passive mode and it is possible that your firewall may allow this out.  

This does assume that it is the firewall that is causing the problem in the first place.
0
 

Author Comment

by:mjimison1956
ID: 18740881
So do we change to ftp pasv in the script?
0
 
LVL 57

Expert Comment

by:giltjr
ID: 18741546
Yes, anyplace in the script after you have succesfully logged on.  Generally if I need to do passive I do it right before the 1st get/put statment.  You may want to double check that your ftp client supports it before you change the script.
0
 

Author Comment

by:mjimison1956
ID: 18743579
perfect solution. thank you.  ever need Oracle help...I am here
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Java performance on Solaris - Managing CPUs There are various resource controls in operating system which directly/indirectly influence the performance of application. one of the most important resource controls is "CPU".   In a multithreaded…
The article explains the protocols and technology which is involved when two computers on different TCP/IP networks communicate with each other. In the diagram, a router is used to segregate two networks. The networks are 192.168.1.0/24 and 192…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now