Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


Errors trying to connect to ftp server through Watchguard X700 firewall

Posted on 2008-10-27
Medium Priority
Last Modified: 2013-12-02
I'm trying to setup an ftp server to upload a few gigs worth of images.  I've setup the server using Cerberus FTP server on a 2003 server.  I set the policy on the Watchguard to allow From: Any incoming traffic To: external IP->internal ftp server IP and outgoing from: Any to: Any.  I can connect to the ftp server while inside the Watchguard and upload and download files fine.  When I'm outside of the firewall I seem to connect to the FTP server fine but I get a few error messages and I cannot do anything while I'm connected.  I've attached the error I receive when I connect anonymously via IE and what I get when I try connecting using filezilla ftp client.   I've also attached the screen log of the Cerberus FTP server.
I've given everyone full access to the ftp root folder on the server.
Everything seems to be pointing to the Watchguard but I don't know that much about them to really know for sure.
Question by:Fveng
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4

Accepted Solution

valheru_m earned 2000 total points
ID: 22816915
Best way to set up FTP through a NAT firewall like this is to use PASV mode, which by your logs you seem to be doing.  However, in PASV mode, the ftp client connects to the control port 21, but then the actual data connection happens over a different random port which is why your connection is failing here.  this second port is not allowed through your firewall to reach the ftp server.

What you need to do is choose a list of a few consecutive ports (6000 - 6010 or some other small port range of 10 - 20 ports), and configure your FTP server software to only use those ports for data connections instead of the full available range.  This should be a fairly obvious setting in your FTP server software configuration, or if not the cerberus documentation should be able to point you in the right direction.  Then you need to create an additional rule in the firebox that allows those ports you selected to reach he internal FTP server via NAT, just like you configured the original FTP rule.

That should do it.  Hope this helps.

Author Comment

ID: 22817279
I created a PASV policy and changed the port settings on the ftp server to 6000-6010 and I'm still getting the same errors.  I must be missing something or doing something wrong here.

Expert Comment

ID: 22817517
For these purposes I use my own custom FTP filter definition instead of the built in FTP definition.  This way I can put all of the necessary ports into the same rule. FTP doesn't use UDP connections, so you can omit that.  See my rules in the picture below.  I used different ports on this particular configuration because a different application was using a port in the 6000 - 6010 range, but the actual port numbers do not matter as long as they dont conflict with anything else and they match the configuration of the server.

Your incoming properties look correct as long as those are the correct IP addresses for the outside interface of the firebox and the IP address of your FTP server.

Try getting rid of the FTP  service altogether in the firebox rules and create a custom rule for this purpose similar to the one in the picture attached. Instead of port 666, use port 21 for your default configuration.  I simply changed mine from the default config for better security.
Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.


Expert Comment

ID: 22817548
Just as an aside, you might also need to restart the FTP services for your configuration changes to take effect.

Also, just to get the simple stuff out of the way, I have to ask, have you uploaded your config to the firebox after you changed it?

Author Comment

ID: 22822750
That seemed to do the trick.  I'm uploading and downloading files.  Do you have any suggestions for a good open source ftp server app?  The uploads and download speeds seem pretty slow and during uploads it will error out saying i don't have permissions and then start uploading again.  Using filezilla it will start uploading and I can see on the cerberus server side a few errors like 425 unable to open the data connection, unable to accept passive connection.  Then it will accept passive connection and continue uploading files.  Using IE to upload the files it just errors out in the middle of the transfer.
I have to give this ftp site out to multiple users that range from tech savvy to pencil and paper savvy so I want to make it as easy as possible (click and drag) most likely using IE on their end.

Author Comment

ID: 22823496
I just installed and setup filezilla server.  After a few tweaks and setting/port adjustments it seems to be running a lot better than cerberos.  I've been uploading files from filezilla client to the server for about 30 min with no break in communication.

Expert Comment

ID: 22827270
If you're running Windows server, I do recommend Filezilla.  I've had good luck with it.  Sounds like everything is working well for you now, yes?

Author Comment

ID: 22832259
Yep, looks like its going well now.  I'm seeing users connect to it and transferring data.  Thanks a lot for your help!

Author Closing Comment

ID: 31510469
Thanks again, perfect explanation and easy to understand.

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Problem: Windows 32bit running out of paging space. Solution: Add additional page files on separate partitions. Background: By default Windows creates only one page file on the partition you install Windows on. You may know that the maximu…
Have you ever stumbled upon a software that is so great that you just love? It happened to me. Love at first sight. Filezilla Server.   Ok its not the most advanced ftp server I've came across. But its a fairly simple piece of software to get the …
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
In this video, Percona Solutions Engineer Barrett Chambers discusses some of the basic syntax differences between MySQL and MongoDB. To learn more check out our webinar on MongoDB administration for MySQL DBA:…

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question