cannot ftp on port 2121 thru the firewall
I have a Windows Server 2003 and I have FTP setup on it using port 2121. Internally I can get to it just fine but when I go thru the firewall from the outside it times out and I get a blank page. Initially I thought it was the Cisco ASA firewall so I opened up a case with Cisco, they looked at it and the firewall is allowing the traffic to go thru on port 2121. That's the only port I have opened on the firewall.
So the problem must lie on the server side. Any thoughts?
So the problem must lie on the server side. Any thoughts?
netstat -an*
ASKER
As I stated in my post, the server is listening on that port because I can get to the FTP server internally just fine.
There's a port forwarder on the firewall, as I can see traffic going thru the firewall on that port and it's being allowed.
There's a port forwarder on the firewall, as I can see traffic going thru the firewall on that port and it's being allowed.
How are you connecting? Active requires port 20 out from server. Passive requires extra config on the fw to dynamically open the port. This second port is used for data transfer
ASKER
I put this in my browser:
ftp://username:password@IP address:2121
I did open up port 20 on the firewall but it didn't make any difference.
ftp://username:password@IP address:2121
I did open up port 20 on the firewall but it didn't make any difference.
ASKER
I also tried an FTP client with both passive and active config. Here's what I got when trying to connect:
passive ip address returned by server different than server IP.
It appears that the server is giving out the inside IP address instead of giving out the public IP. How do I configure the server to give out the public IP?
passive ip address returned by server different than server IP.
It appears that the server is giving out the inside IP address instead of giving out the public IP. How do I configure the server to give out the public IP?
you don't need to reconfigure the server for anything. I'd let the ASA handle the ftp. check out
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807ee585.shtml#non
that gives an example of how to configure ftp inspection on the ASA. that should get passive ftp working. as for active, you just need to allow dst port 20/tcp out (source of server, dest of any)
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807ee585.shtml#non
that gives an example of how to configure ftp inspection on the ASA. that should get passive ftp working. as for active, you just need to allow dst port 20/tcp out (source of server, dest of any)
ASKER
The ASA is already configured for that. As I said in my previous port, I did allow port 20 on the ASA.
The problem is that the server is handing out the wrong IP address so what ends up happening is the client then tries to connect to an internal IP address, instead of using the public IP.
The problem is that the server is handing out the wrong IP address so what ends up happening is the client then tries to connect to an internal IP address, instead of using the public IP.
That is exactly the thing the ASAs FTP insepction should handle. But if it's all running on port 2121, have you let the ASA know to use FTP inspection on that port?
While the fixup command is deprecated, it's still working (Asa will rewrite it into the proper MFP commands) :
fixup proto ftp 2121
While the fixup command is deprecated, it's still working (Asa will rewrite it into the proper MFP commands) :
fixup proto ftp 2121
please post your config. The ftp servers by default will give out the IP configured to their interface when conducting passive connections. While many can be configured to give out a different (generally public) IP, its not a good idea when using a PIX/ASA because that will most likely stop internal ftp from working then.
ASKER
I do have the fixup command in there. It's actually called "inspect ftp" now.
There must be a way to do this so I can access the ftp site internally and externally.
What config do you want me to post?
There must be a way to do this so I can access the ftp site internally and externally.
What config do you want me to post?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
the running config.
by the way, what Voltz-dk posted was exactly what is in the link I posted before. so if you're not specifying the port in your inspection policy config then you need to read thru that link. It specifies exactly what you need to do for non-standard ftp port inspection
by the way, what Voltz-dk posted was exactly what is in the link I posted before. so if you're not specifying the port in your inspection policy config then you need to read thru that link. It specifies exactly what you need to do for non-standard ftp port inspection
ASKER
Thank you very much. That worked by creating a new class map and specifying the port.
c:\netstat an
Or the sollution could be that the firewall aint directing the traffic on port 2121 to your computer. Try and add a port-forwarder:
if externaladress:2121 -> 192.168.1.2 (example)