SonicWall Configuration to Allow FTP Server

Hi folks!

Our organization has a SonicWall TZ-210 unit that acts as the firewall and router for our entire network, sitting between our ISP connection and our internal network. I am trying to set up an FTP server and configure the SonicWall to allow outside access to it, but am having problems.

So far, under the Network -> NAT Settings option, I have added a NAT policy with the following settings:

Original Source: Any
Translated Source: Original
Original Destination: WAN Interface IP
Translated Destination: [name of our server]
Original Service: FTP (All)
Translated Service: Original
Inbound Interface: Any
Outbound Interface: Any

Under Firewall -> Access rules, in the WAN to LAN zone, I have created a rule with the following settings:

Source: Any
Destination: Any
Service: FTP (All)
Action: Allow
Users: All

Under Firewall -> Services, I have made sure that FTP (All) is configured as a group that includes the following individual services:

FTP (port 21)
FTP Control (port 21)
FTP Data (port 20)

Finally, under Network -> Address Objects, I have configured an object with the following settings:

Name: [our server name]
Zone Assignment: LAN
Type: Host
IP Address: [our internal IP address for the server]

With these settings in place, however, I cannot access the FTP server from the outside. When I use a simple command-line FTP client and connect to our IP address, it says it has established a connection, but then it hangs for a moment and then says "Connection closed by foreign host." When I check the FTP server's monitor window, I see no connection attempts, error messages, or other indications that the traffic has made it through to the server. So I must assume something is getting dropped at the firewall.

Any suggestions would be most appreciated.

Thanks,
Ithizar
IthizarAsked:
Who is Participating?
 
digitapConnect With a Mentor Commented:
you're not getting routed properly back out.  what i'd recommend is deleting your firewall access rules, NAT policies and address objects thus far.  run the public server wizard.  then, see how you fair.
0
 
rjwesleyCommented:
I use a 2040 Sonicwall product - had problems using the default config for FTP - I ran the Public Server wizard for FTP- did you happen to configure FTP access this way?

Restarting IIS and/or the firewall device may help.

Rob
0
 
IthizarAuthor Commented:
No, I didn't configure access through Public Server Wizard. I configured the rules manually.
0
The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

 
fluk3dConnect With a Mentor Commented:

Here is how I configure all SonicWALL devices

You will need 3 NAT policies

1st policy - loopback

Original Source: X0/Firewalled Subnets
Translated Source: Address Object-WAN IP
Original Dest: Address Object-WAN IP
Translated Dest: Address Object-LAN IP
Original Service: FTP Services (21,20)
Translated Service: Original
Inbound: Any
Outbound: Any

2nd policy - outbound

Original Source: Address Object-LAN IP
Translated Source: Address Object-WAN IP
Original Dest: Any
Translated Dest:Original
Original Service: FTP Services (21,20)
Translated Service: Original
Inbound: Any
Outbound: WAN


3rd policy - inbound

Original Source: Any
Translated Source: Original
Original Dest: Address Object-WAN IP
Translated Dest:Address Object-LAN IP
Original Service: FTP Services (21,20)
Translated Service: Original
Inbound: Any
Outbound: Any


Once you have this configured from the FTP server go to canyouseeme.org and test your open port 20,21

please keep in mind ftp is tricky because they use passive/active connections so depending on your ftp server you will need to adjust your client in order for it to make a successful inbound/outbound connection.

The best test is to use http://net2ftp.com and test it there as it will automatically test both passive/active. This is a public service so I advise to use an account with limited access.
0
 
fluk3dCommented:
Oh sorry I forgot to add under the firewall rules please make sure the following rules are setup

WAN -> LAN

Service: Your FTP services group
Source: Any
Destination: Address-Object WAN IP
Users allowed: All
Sche. : Always on

Also when making a ftp connection look at the firewall log file and see if the firewall is dropping packets. You can use the filter by placing your private ip/public ip so you can focus on that connection rather than everything zipping through the log file.
1
 
fluk3dCommented:
First and foremost ensure your FTP server is working internally before making it publically available. Can you use a ftp client, or dos/ftp and ftp into the host internally?
0
 
digitapCommented:
Here are some steps in a KB for setting up the ports with some troubleshooting tips.  however, fluk3d has some very nice steps above that should work for you.

https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=7508
0
 
IthizarAuthor Commented:
Thanks for the advice!

I tried all of the steps outlined by fluk3d, but unfortunately with no change. I also tested the FTP server by connecting from an internal IP address, and the connection worked fine.

Lastly, I looked at the firewall log, and filted by the outside IP address I am trying to connect with. There was only one entry for that Ip address, a single notice that a UDP packet had been dropped on port 21331. But I have made many, many attempts to connect from the IP address, that that was the one and only error. Nothing consistent. Also, I tried filtering by the internal IP address of the receiving server, and there were no logged events at all.

Unfortunately, I am still having the same problem.
0
 
IthizarAuthor Commented:
I should also mention that I tested ports 20 and 21 with canyouseeme.org, and both reported as open. But there should be nothing at the server level that is filtering out traffic on those ports, and the FTP server software is reporting no incoming connection attempts. So it still seems like traffic is not making it to the server.
0
 
IthizarAuthor Commented:
Here's a further oddity: If I connect using telnet as a test (telnet xxx.xxx.xxx.xxx 21) from the internal network, I get connected and get the FTP server's welcome message. If I try that same thing from an outside IP address, I -do- get connected. However, I am presented with a blank screen and any commands I attempt to enter are not responded to. I am not sure what I could possibly be connecting to in that case.
0
 
IthizarAuthor Commented:
This is getting frustrating. :) I did as you suggested and deleted all the access rules, NAT policies and address objects that I had created as part of this attempt. I then ran the Public Server Wizard for the FTP server. It said everything was created successfully, but the result is the same.

I suppose this could be an issue not with the firewall, but with the server itself or something in between, but I just can't think of where that would be. There is no firewall software running on the server and the FTP server console is not showing any incoming connection attempts.
0
 
IthizarAuthor Commented:
Interesting. I tried using the wizard to point to an FTP server on a different machine. And it did exactly the same thing. So then I just tried deleting ALL the access and NAT rules that had been created and having no access rule to allow FTP connections. And it -still- did the same thing. You can still connect to the external IP and it will say it connects. And if you connect via Telnet, it doesn't refuse the connection. It connects, but just has a blank screen. It's as though the SonicWall itself is intercepting and responding to the FTP connections. But that's not possible, is it?
0
 
digitapCommented:
what version of firmware are you running on your 210?
0
 
getzjdCommented:
Run the public server wizard, , also keep in mind that you will need additional ports opened for the pasv command.  What is your FTP server
0
 
fluk3dCommented:
try upgrading the firmware as digitap is going to suggest or start a packet capture it will give you some insight on what is happening also is the gateway of the FTP server the sonicwall LAN ip?
0
 
getzjdCommented:
Most FTP server software will allow you to specify pasv ports

Here is a clip from the Serv-u page

Configuring The Passive Port Range
If UPnP is not available on your network device, you will have to manually configure Serv-U and your device to work with a known passive port range. When configuring a router on the network, the correct port ranges must be forwarded through the router to the computer that Serv-U is installed on. By default, Serv-U uses the standard FTP port number of 21, but any port can be specified as long as it port is not in use by another application on the computer. Additionally, the PASV port range (typically 50000-50004) must be forwarded to the server. With these ports being forwarded in your router, and any firewalls configured to allow FTP traffic through, clients will be able to connect to the server and transfer data.

Our Online Knowledge Base contains many articles targeted at ensuring Serv-U is properly configured in this environment. Below are links to some popular articles that assist in configuring typical home routers. The principles used in these articles can be applied to assist in configuring some of the more complex corporate level routers. Additional articles explain how to configure the PASV port range in Serv-U and how to add Serv-U as an approved application in the Windows Firewall.

Configuring a PASV port range with Serv-U:
http://www.RhinoSoft.com/Knowledgebase/KBArticle.asp?RefNo=1044

LinkSys router:
http://www.RhinoSoft.com/Knowledgebase/KBArticle.asp?RefNo=1689

D-Link router:
http://www.RhinoSoft.com/Knowledgebase/KBArticle.asp?RefNo=1688

NetGear router:
http://www.RhinoSoft.com/Knowledgebase/KBArticle.asp?RefNo=1690

Configuring the Windows Firewall:
http://www.RhinoSoft.com/Knowledgebase/KBArticle.asp?RefNo=1384

0
 
digitapCommented:
did you review the KB i included above?  it indicates ports 20/21 for FTP.
0
 
IthizarAuthor Commented:
Firmware version is SonicOS Enhanced 5.1.3.1-32o.

Yes, the gateway IP address of the FTP server is the firewall's LAN interface IP.

I'm afraid I'm not familiar enough with the packet capture feature to make heads or tails of what it's telling me.
0
 
IthizarAuthor Commented:
Also, I am doing all this testing with the Windows command-line FTP client which, at least according to my understanding, is active-only and does not support passive connections. Therefore, unless I'm mistaken, passive ports would not be an issue here.
0
 
IthizarAuthor Commented:
Is there any way to just make a connection attempt and then see exactly how the firewall dealt with that connection attempt? I am assuming packet capture can manage this for me, but so far I have been unable to sort out how to use that effectively. Thanks.
0
 
fluk3dCommented:
I'm on my phone right now however there should be a kb showing you how a packet capture works it will show you exactly what is happening with the tcp connection you can also try calling sonicwall support they might have some insight
0
 
getzjdCommented:
have you looked at the Sonicwall logs to see what, if anything, is being blocked?
0
 
digitapCommented:
look at the following KB...it's awful, but it has a little information.

https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=6003
0
 
rjwesleyCommented:
When you ran the public wizard, did you use the default FTP service, if so you can try creating a new FTP service such CompanyFTP, using the port range 20 - 21.

Choose Public Server Wizard > Next > Change Server Type to OTHER > Change --Select a service-- to Create New Service

Name: CompanyNameFTP -> IP Type TCP(6) > Port Range 20 - 21 > Click Ok (sorry can't go through the rest of the wizard on my sonic box).

Rob
0
 
digitapCommented:
the instructions i posted indicate using ports 20 and 21 which i emphasized here, http:#a34201697.
0
 
fluk3dCommented:
Based on your responses it appears all your rules/nat policies/address objects are correct. The underlying problem is either the server or the firewall itself.

If you have some downtime scheduled I would preform a full wipe of the unit (restore to factory) and reconfigure it using the public server wizard.

Also if you were able to figure out how to run a packet capture it would tell us if the firewall is forwarding/dropping the tcp packet or not. If you can save the pcap file here and we can look at it and give you some more insight of the problem.

0
 
digitapCommented:
here are steps to capture syslog data:

https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=5106


you can also use the packet monitor.  go to System > Packet Monitor.  Then, click the Configure button.  click the monitor filter tab.  in the interface section, type x1.  in the source IP type the source public IP address you want to monitor for.  you can add other IPs in here whether source or destination that you want to monitor.

click OK and click the Start Capture button.  you'll need to click the refresh button to get the data to appear in the little window below.  start your FTP session and see what appears.
0
 
digitapCommented:
so, what did your final solution look like?
0
 
IthizarAuthor Commented:
Well, it's rather embarrassing, really. :) Apparently, when you suggested that I clear all the rules and run the Public Server Wizard, that actually worked. But, unfortunately, the computer I was testing problem had, unbeknownst to me, a problem of its own that was preventing it from making a successful FTP connection. Once I tried it from another computer, it worked. So the Public Server Wizard and its standard FTP configuration was, in fact, the solution!

Thanks for the help, and sorry for the confusion!
0
 
digitapCommented:
no worries.  we all have our moments.  i'm just glad it's working and thanks for the extra clarification....and the points!
0
 
Gustavo ReguerinCommented:
On fluk3d comment had a little mistake, the correct rule is:

WAN -> LAN

Service: Your FTP services group
Source: Any
Destination: "Address-Object LAN IP" .... not Address-Object WAN IP
Users allowed: All
Sche. : Always on
0
All Courses

From novice to tech pro — start learning today.