Solved

SonicWall Configuration to Allow FTP Server

Posted on 2010-11-23
31
7,179 Views
1 Endorsement
Last Modified: 2016-08-30
Hi folks!

Our organization has a SonicWall TZ-210 unit that acts as the firewall and router for our entire network, sitting between our ISP connection and our internal network. I am trying to set up an FTP server and configure the SonicWall to allow outside access to it, but am having problems.

So far, under the Network -> NAT Settings option, I have added a NAT policy with the following settings:

Original Source: Any
Translated Source: Original
Original Destination: WAN Interface IP
Translated Destination: [name of our server]
Original Service: FTP (All)
Translated Service: Original
Inbound Interface: Any
Outbound Interface: Any

Under Firewall -> Access rules, in the WAN to LAN zone, I have created a rule with the following settings:

Source: Any
Destination: Any
Service: FTP (All)
Action: Allow
Users: All

Under Firewall -> Services, I have made sure that FTP (All) is configured as a group that includes the following individual services:

FTP (port 21)
FTP Control (port 21)
FTP Data (port 20)

Finally, under Network -> Address Objects, I have configured an object with the following settings:

Name: [our server name]
Zone Assignment: LAN
Type: Host
IP Address: [our internal IP address for the server]

With these settings in place, however, I cannot access the FTP server from the outside. When I use a simple command-line FTP client and connect to our IP address, it says it has established a connection, but then it hangs for a moment and then says "Connection closed by foreign host." When I check the FTP server's monitor window, I see no connection attempts, error messages, or other indications that the traffic has made it through to the server. So I must assume something is getting dropped at the firewall.

Any suggestions would be most appreciated.

Thanks,
Ithizar
1
Comment
Question by:Ithizar
  • 10
  • 9
  • 6
  • +3
31 Comments
 
LVL 8

Expert Comment

by:rjwesley
ID: 34200097
I use a 2040 Sonicwall product - had problems using the default config for FTP - I ran the Public Server wizard for FTP- did you happen to configure FTP access this way?

Restarting IIS and/or the firewall device may help.

Rob
0
 

Author Comment

by:Ithizar
ID: 34200621
No, I didn't configure access through Public Server Wizard. I configured the rules manually.
0
 
LVL 6

Assisted Solution

by:fluk3d
fluk3d earned 250 total points
ID: 34200827

Here is how I configure all SonicWALL devices

You will need 3 NAT policies

1st policy - loopback

Original Source: X0/Firewalled Subnets
Translated Source: Address Object-WAN IP
Original Dest: Address Object-WAN IP
Translated Dest: Address Object-LAN IP
Original Service: FTP Services (21,20)
Translated Service: Original
Inbound: Any
Outbound: Any

2nd policy - outbound

Original Source: Address Object-LAN IP
Translated Source: Address Object-WAN IP
Original Dest: Any
Translated Dest:Original
Original Service: FTP Services (21,20)
Translated Service: Original
Inbound: Any
Outbound: WAN


3rd policy - inbound

Original Source: Any
Translated Source: Original
Original Dest: Address Object-WAN IP
Translated Dest:Address Object-LAN IP
Original Service: FTP Services (21,20)
Translated Service: Original
Inbound: Any
Outbound: Any


Once you have this configured from the FTP server go to canyouseeme.org and test your open port 20,21

please keep in mind ftp is tricky because they use passive/active connections so depending on your ftp server you will need to adjust your client in order for it to make a successful inbound/outbound connection.

The best test is to use http://net2ftp.com and test it there as it will automatically test both passive/active. This is a public service so I advise to use an account with limited access.
0
 
LVL 6

Expert Comment

by:fluk3d
ID: 34200845
Oh sorry I forgot to add under the firewall rules please make sure the following rules are setup

WAN -> LAN

Service: Your FTP services group
Source: Any
Destination: Address-Object WAN IP
Users allowed: All
Sche. : Always on

Also when making a ftp connection look at the firewall log file and see if the firewall is dropping packets. You can use the filter by placing your private ip/public ip so you can focus on that connection rather than everything zipping through the log file.
1
 
LVL 6

Expert Comment

by:fluk3d
ID: 34200856
First and foremost ensure your FTP server is working internally before making it publically available. Can you use a ftp client, or dos/ftp and ftp into the host internally?
0
 
LVL 33

Expert Comment

by:digitap
ID: 34200867
Here are some steps in a KB for setting up the ports with some troubleshooting tips.  however, fluk3d has some very nice steps above that should work for you.

https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=7508
0
 

Author Comment

by:Ithizar
ID: 34201177
Thanks for the advice!

I tried all of the steps outlined by fluk3d, but unfortunately with no change. I also tested the FTP server by connecting from an internal IP address, and the connection worked fine.

Lastly, I looked at the firewall log, and filted by the outside IP address I am trying to connect with. There was only one entry for that Ip address, a single notice that a UDP packet had been dropped on port 21331. But I have made many, many attempts to connect from the IP address, that that was the one and only error. Nothing consistent. Also, I tried filtering by the internal IP address of the receiving server, and there were no logged events at all.

Unfortunately, I am still having the same problem.
0
 

Author Comment

by:Ithizar
ID: 34201185
I should also mention that I tested ports 20 and 21 with canyouseeme.org, and both reported as open. But there should be nothing at the server level that is filtering out traffic on those ports, and the FTP server software is reporting no incoming connection attempts. So it still seems like traffic is not making it to the server.
0
 

Author Comment

by:Ithizar
ID: 34201263
Here's a further oddity: If I connect using telnet as a test (telnet xxx.xxx.xxx.xxx 21) from the internal network, I get connected and get the FTP server's welcome message. If I try that same thing from an outside IP address, I -do- get connected. However, I am presented with a blank screen and any commands I attempt to enter are not responded to. I am not sure what I could possibly be connecting to in that case.
0
 
LVL 33

Accepted Solution

by:
digitap earned 250 total points
ID: 34201307
you're not getting routed properly back out.  what i'd recommend is deleting your firewall access rules, NAT policies and address objects thus far.  run the public server wizard.  then, see how you fair.
0
 

Author Comment

by:Ithizar
ID: 34201520
This is getting frustrating. :) I did as you suggested and deleted all the access rules, NAT policies and address objects that I had created as part of this attempt. I then ran the Public Server Wizard for the FTP server. It said everything was created successfully, but the result is the same.

I suppose this could be an issue not with the firewall, but with the server itself or something in between, but I just can't think of where that would be. There is no firewall software running on the server and the FTP server console is not showing any incoming connection attempts.
0
 

Author Comment

by:Ithizar
ID: 34201582
Interesting. I tried using the wizard to point to an FTP server on a different machine. And it did exactly the same thing. So then I just tried deleting ALL the access and NAT rules that had been created and having no access rule to allow FTP connections. And it -still- did the same thing. You can still connect to the external IP and it will say it connects. And if you connect via Telnet, it doesn't refuse the connection. It connects, but just has a blank screen. It's as though the SonicWall itself is intercepting and responding to the FTP connections. But that's not possible, is it?
0
 
LVL 33

Expert Comment

by:digitap
ID: 34201592
what version of firmware are you running on your 210?
0
 
LVL 15

Expert Comment

by:getzjd
ID: 34201644
Run the public server wizard, , also keep in mind that you will need additional ports opened for the pasv command.  What is your FTP server
0
 
LVL 6

Expert Comment

by:fluk3d
ID: 34201648
try upgrading the firmware as digitap is going to suggest or start a packet capture it will give you some insight on what is happening also is the gateway of the FTP server the sonicwall LAN ip?
0
Free Gift Card with Acronis Backup Purchase!

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!

 
LVL 15

Expert Comment

by:getzjd
ID: 34201666
Most FTP server software will allow you to specify pasv ports

Here is a clip from the Serv-u page

Configuring The Passive Port Range
If UPnP is not available on your network device, you will have to manually configure Serv-U and your device to work with a known passive port range. When configuring a router on the network, the correct port ranges must be forwarded through the router to the computer that Serv-U is installed on. By default, Serv-U uses the standard FTP port number of 21, but any port can be specified as long as it port is not in use by another application on the computer. Additionally, the PASV port range (typically 50000-50004) must be forwarded to the server. With these ports being forwarded in your router, and any firewalls configured to allow FTP traffic through, clients will be able to connect to the server and transfer data.

Our Online Knowledge Base contains many articles targeted at ensuring Serv-U is properly configured in this environment. Below are links to some popular articles that assist in configuring typical home routers. The principles used in these articles can be applied to assist in configuring some of the more complex corporate level routers. Additional articles explain how to configure the PASV port range in Serv-U and how to add Serv-U as an approved application in the Windows Firewall.

Configuring a PASV port range with Serv-U:
http://www.RhinoSoft.com/Knowledgebase/KBArticle.asp?RefNo=1044

LinkSys router:
http://www.RhinoSoft.com/Knowledgebase/KBArticle.asp?RefNo=1689

D-Link router:
http://www.RhinoSoft.com/Knowledgebase/KBArticle.asp?RefNo=1688

NetGear router:
http://www.RhinoSoft.com/Knowledgebase/KBArticle.asp?RefNo=1690

Configuring the Windows Firewall:
http://www.RhinoSoft.com/Knowledgebase/KBArticle.asp?RefNo=1384

0
 
LVL 33

Expert Comment

by:digitap
ID: 34201697
did you review the KB i included above?  it indicates ports 20/21 for FTP.
0
 

Author Comment

by:Ithizar
ID: 34201720
Firmware version is SonicOS Enhanced 5.1.3.1-32o.

Yes, the gateway IP address of the FTP server is the firewall's LAN interface IP.

I'm afraid I'm not familiar enough with the packet capture feature to make heads or tails of what it's telling me.
0
 

Author Comment

by:Ithizar
ID: 34201727
Also, I am doing all this testing with the Windows command-line FTP client which, at least according to my understanding, is active-only and does not support passive connections. Therefore, unless I'm mistaken, passive ports would not be an issue here.
0
 

Author Comment

by:Ithizar
ID: 34201744
Is there any way to just make a connection attempt and then see exactly how the firewall dealt with that connection attempt? I am assuming packet capture can manage this for me, but so far I have been unable to sort out how to use that effectively. Thanks.
0
 
LVL 6

Expert Comment

by:fluk3d
ID: 34201773
I'm on my phone right now however there should be a kb showing you how a packet capture works it will show you exactly what is happening with the tcp connection you can also try calling sonicwall support they might have some insight
0
 
LVL 15

Expert Comment

by:getzjd
ID: 34201805
have you looked at the Sonicwall logs to see what, if anything, is being blocked?
0
 
LVL 33

Expert Comment

by:digitap
ID: 34201811
look at the following KB...it's awful, but it has a little information.

https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=6003
0
 
LVL 8

Expert Comment

by:rjwesley
ID: 34208283
When you ran the public wizard, did you use the default FTP service, if so you can try creating a new FTP service such CompanyFTP, using the port range 20 - 21.

Choose Public Server Wizard > Next > Change Server Type to OTHER > Change --Select a service-- to Create New Service

Name: CompanyNameFTP -> IP Type TCP(6) > Port Range 20 - 21 > Click Ok (sorry can't go through the rest of the wizard on my sonic box).

Rob
0
 
LVL 33

Expert Comment

by:digitap
ID: 34208296
the instructions i posted indicate using ports 20 and 21 which i emphasized here, http:#a34201697.
0
 
LVL 6

Expert Comment

by:fluk3d
ID: 34208674
Based on your responses it appears all your rules/nat policies/address objects are correct. The underlying problem is either the server or the firewall itself.

If you have some downtime scheduled I would preform a full wipe of the unit (restore to factory) and reconfigure it using the public server wizard.

Also if you were able to figure out how to run a packet capture it would tell us if the firewall is forwarding/dropping the tcp packet or not. If you can save the pcap file here and we can look at it and give you some more insight of the problem.

0
 
LVL 33

Expert Comment

by:digitap
ID: 34208944
here are steps to capture syslog data:

https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=5106


you can also use the packet monitor.  go to System > Packet Monitor.  Then, click the Configure button.  click the monitor filter tab.  in the interface section, type x1.  in the source IP type the source public IP address you want to monitor for.  you can add other IPs in here whether source or destination that you want to monitor.

click OK and click the Start Capture button.  you'll need to click the refresh button to get the data to appear in the little window below.  start your FTP session and see what appears.
0
 
LVL 33

Expert Comment

by:digitap
ID: 34239999
so, what did your final solution look like?
0
 

Author Comment

by:Ithizar
ID: 34244224
Well, it's rather embarrassing, really. :) Apparently, when you suggested that I clear all the rules and run the Public Server Wizard, that actually worked. But, unfortunately, the computer I was testing problem had, unbeknownst to me, a problem of its own that was preventing it from making a successful FTP connection. Once I tried it from another computer, it worked. So the Public Server Wizard and its standard FTP configuration was, in fact, the solution!

Thanks for the help, and sorry for the confusion!
0
 
LVL 33

Expert Comment

by:digitap
ID: 34245016
no worries.  we all have our moments.  i'm just glad it's working and thanks for the extra clarification....and the points!
0
 

Expert Comment

by:Gustavo Reguerin
ID: 41776381
On fluk3d comment had a little mistake, the correct rule is:

WAN -> LAN

Service: Your FTP services group
Source: Any
Destination: "Address-Object LAN IP" .... not Address-Object WAN IP
Users allowed: All
Sche. : Always on
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
Read about achieving the basic levels of HRIS security in the workplace.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now