Solved

Errors trying to connect to ftp server through Watchguard X700 firewall

Posted on 2008-10-27
9
1,789 Views
Last Modified: 2013-12-02
I'm trying to setup an ftp server to upload a few gigs worth of images.  I've setup the server using Cerberus FTP server on a 2003 server.  I set the policy on the Watchguard to allow From: Any incoming traffic To: external IP->internal ftp server IP and outgoing from: Any to: Any.  I can connect to the ftp server while inside the Watchguard and upload and download files fine.  When I'm outside of the firewall I seem to connect to the FTP server fine but I get a few error messages and I cannot do anything while I'm connected.  I've attached the error I receive when I connect anonymously via IE and what I get when I try connecting using filezilla ftp client.   I've also attached the screen log of the Cerberus FTP server.
I've given everyone full access to the ftp root folder on the server.
Everything seems to be pointing to the Watchguard but I don't know that much about them to really know for sure.
ftperror.jpg
ftp.txt
LOG-2008-10-27-140232.txt
0
Comment
Question by:Fveng
  • 5
  • 4
9 Comments
 
LVL 5

Accepted Solution

by:
valheru_m earned 500 total points
ID: 22816915
Best way to set up FTP through a NAT firewall like this is to use PASV mode, which by your logs you seem to be doing.  However, in PASV mode, the ftp client connects to the control port 21, but then the actual data connection happens over a different random port which is why your connection is failing here.  this second port is not allowed through your firewall to reach the ftp server.

What you need to do is choose a list of a few consecutive ports (6000 - 6010 or some other small port range of 10 - 20 ports), and configure your FTP server software to only use those ports for data connections instead of the full available range.  This should be a fairly obvious setting in your FTP server software configuration, or if not the cerberus documentation should be able to point you in the right direction.  Then you need to create an additional rule in the firebox that allows those ports you selected to reach he internal FTP server via NAT, just like you configured the original FTP rule.

That should do it.  Hope this helps.
0
 

Author Comment

by:Fveng
ID: 22817279
I created a PASV policy and changed the port settings on the ftp server to 6000-6010 and I'm still getting the same errors.  I must be missing something or doing something wrong here.
pasv1.JPG
pasv2.JPG
pasv3.JPG
cerbos-ports.JPG
0
 
LVL 5

Expert Comment

by:valheru_m
ID: 22817517
For these purposes I use my own custom FTP filter definition instead of the built in FTP definition.  This way I can put all of the necessary ports into the same rule. FTP doesn't use UDP connections, so you can omit that.  See my rules in the picture below.  I used different ports on this particular configuration because a different application was using a port in the 6000 - 6010 range, but the actual port numbers do not matter as long as they dont conflict with anything else and they match the configuration of the server.

Your incoming properties look correct as long as those are the correct IP addresses for the outside interface of the firebox and the IP address of your FTP server.

Try getting rid of the FTP  service altogether in the firebox rules and create a custom rule for this purpose similar to the one in the picture attached. Instead of port 666, use port 21 for your default configuration.  I simply changed mine from the default config for better security.
Picture-1.jpg
0
 
LVL 5

Expert Comment

by:valheru_m
ID: 22817548
Just as an aside, you might also need to restart the FTP services for your configuration changes to take effect.

Also, just to get the simple stuff out of the way, I have to ask, have you uploaded your config to the firebox after you changed it?
0
Too many email signature changes to deal with?

Are you constantly being asked to update your organization's email signatures? Do they take up too much of your time? Wouldn't you love to be able to manage all signatures from one central location, easily design them and deploy them quickly to users. Well, you can!

 

Author Comment

by:Fveng
ID: 22822750
That seemed to do the trick.  I'm uploading and downloading files.  Do you have any suggestions for a good open source ftp server app?  The uploads and download speeds seem pretty slow and during uploads it will error out saying i don't have permissions and then start uploading again.  Using filezilla it will start uploading and I can see on the cerberus server side a few errors like 425 unable to open the data connection, unable to accept passive connection.  Then it will accept passive connection and continue uploading files.  Using IE to upload the files it just errors out in the middle of the transfer.
I have to give this ftp site out to multiple users that range from tech savvy to pencil and paper savvy so I want to make it as easy as possible (click and drag) most likely using IE on their end.
0
 

Author Comment

by:Fveng
ID: 22823496
I just installed and setup filezilla server.  After a few tweaks and setting/port adjustments it seems to be running a lot better than cerberos.  I've been uploading files from filezilla client to the server for about 30 min with no break in communication.
0
 
LVL 5

Expert Comment

by:valheru_m
ID: 22827270
If you're running Windows server, I do recommend Filezilla.  I've had good luck with it.  Sounds like everything is working well for you now, yes?
0
 

Author Comment

by:Fveng
ID: 22832259
Yep, looks like its going well now.  I'm seeing users connect to it and transferring data.  Thanks a lot for your help!
0
 

Author Closing Comment

by:Fveng
ID: 31510469
Thanks again, perfect explanation and easy to understand.
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Hello, As I have seen there a lot of requests regarding monitoring and reporting for exchange 2007 / 2010 / 2013 I have decided to post some thoughts together and link to articles that have helped me. Of course a lot of information you can get…
If, like me, you have a lot of Dell servers in the estate you manage this article should save you a little time. When attempting to login to iDrac on any server I would be presented with two errors. The first reads "Do you want to run this applicati…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now