Errors trying to connect to ftp server through Watchguard X700 firewall

I'm trying to setup an ftp server to upload a few gigs worth of images.  I've setup the server using Cerberus FTP server on a 2003 server.  I set the policy on the Watchguard to allow From: Any incoming traffic To: external IP->internal ftp server IP and outgoing from: Any to: Any.  I can connect to the ftp server while inside the Watchguard and upload and download files fine.  When I'm outside of the firewall I seem to connect to the FTP server fine but I get a few error messages and I cannot do anything while I'm connected.  I've attached the error I receive when I connect anonymously via IE and what I get when I try connecting using filezilla ftp client.   I've also attached the screen log of the Cerberus FTP server.
I've given everyone full access to the ftp root folder on the server.
Everything seems to be pointing to the Watchguard but I don't know that much about them to really know for sure.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Best way to set up FTP through a NAT firewall like this is to use PASV mode, which by your logs you seem to be doing.  However, in PASV mode, the ftp client connects to the control port 21, but then the actual data connection happens over a different random port which is why your connection is failing here.  this second port is not allowed through your firewall to reach the ftp server.

What you need to do is choose a list of a few consecutive ports (6000 - 6010 or some other small port range of 10 - 20 ports), and configure your FTP server software to only use those ports for data connections instead of the full available range.  This should be a fairly obvious setting in your FTP server software configuration, or if not the cerberus documentation should be able to point you in the right direction.  Then you need to create an additional rule in the firebox that allows those ports you selected to reach he internal FTP server via NAT, just like you configured the original FTP rule.

That should do it.  Hope this helps.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
FvengAuthor Commented:
I created a PASV policy and changed the port settings on the ftp server to 6000-6010 and I'm still getting the same errors.  I must be missing something or doing something wrong here.
For these purposes I use my own custom FTP filter definition instead of the built in FTP definition.  This way I can put all of the necessary ports into the same rule. FTP doesn't use UDP connections, so you can omit that.  See my rules in the picture below.  I used different ports on this particular configuration because a different application was using a port in the 6000 - 6010 range, but the actual port numbers do not matter as long as they dont conflict with anything else and they match the configuration of the server.

Your incoming properties look correct as long as those are the correct IP addresses for the outside interface of the firebox and the IP address of your FTP server.

Try getting rid of the FTP  service altogether in the firebox rules and create a custom rule for this purpose similar to the one in the picture attached. Instead of port 666, use port 21 for your default configuration.  I simply changed mine from the default config for better security.
Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Just as an aside, you might also need to restart the FTP services for your configuration changes to take effect.

Also, just to get the simple stuff out of the way, I have to ask, have you uploaded your config to the firebox after you changed it?
FvengAuthor Commented:
That seemed to do the trick.  I'm uploading and downloading files.  Do you have any suggestions for a good open source ftp server app?  The uploads and download speeds seem pretty slow and during uploads it will error out saying i don't have permissions and then start uploading again.  Using filezilla it will start uploading and I can see on the cerberus server side a few errors like 425 unable to open the data connection, unable to accept passive connection.  Then it will accept passive connection and continue uploading files.  Using IE to upload the files it just errors out in the middle of the transfer.
I have to give this ftp site out to multiple users that range from tech savvy to pencil and paper savvy so I want to make it as easy as possible (click and drag) most likely using IE on their end.
FvengAuthor Commented:
I just installed and setup filezilla server.  After a few tweaks and setting/port adjustments it seems to be running a lot better than cerberos.  I've been uploading files from filezilla client to the server for about 30 min with no break in communication.
If you're running Windows server, I do recommend Filezilla.  I've had good luck with it.  Sounds like everything is working well for you now, yes?
FvengAuthor Commented:
Yep, looks like its going well now.  I'm seeing users connect to it and transferring data.  Thanks a lot for your help!
FvengAuthor Commented:
Thanks again, perfect explanation and easy to understand.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Server Software

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.