[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

SonicWall Configuration to Allow FTP Server

Posted on 2010-11-23
31
Medium Priority
?
8,048 Views
1 Endorsement
Last Modified: 2016-08-30
Hi folks!

Our organization has a SonicWall TZ-210 unit that acts as the firewall and router for our entire network, sitting between our ISP connection and our internal network. I am trying to set up an FTP server and configure the SonicWall to allow outside access to it, but am having problems.

So far, under the Network -> NAT Settings option, I have added a NAT policy with the following settings:

Original Source: Any
Translated Source: Original
Original Destination: WAN Interface IP
Translated Destination: [name of our server]
Original Service: FTP (All)
Translated Service: Original
Inbound Interface: Any
Outbound Interface: Any

Under Firewall -> Access rules, in the WAN to LAN zone, I have created a rule with the following settings:

Source: Any
Destination: Any
Service: FTP (All)
Action: Allow
Users: All

Under Firewall -> Services, I have made sure that FTP (All) is configured as a group that includes the following individual services:

FTP (port 21)
FTP Control (port 21)
FTP Data (port 20)

Finally, under Network -> Address Objects, I have configured an object with the following settings:

Name: [our server name]
Zone Assignment: LAN
Type: Host
IP Address: [our internal IP address for the server]

With these settings in place, however, I cannot access the FTP server from the outside. When I use a simple command-line FTP client and connect to our IP address, it says it has established a connection, but then it hangs for a moment and then says "Connection closed by foreign host." When I check the FTP server's monitor window, I see no connection attempts, error messages, or other indications that the traffic has made it through to the server. So I must assume something is getting dropped at the firewall.

Any suggestions would be most appreciated.

Thanks,
Ithizar
1
Comment
Question by:Ithizar
  • 10
  • 9
  • 6
  • +3
31 Comments
 
LVL 8

Expert Comment

by:rjwesley
ID: 34200097
I use a 2040 Sonicwall product - had problems using the default config for FTP - I ran the Public Server wizard for FTP- did you happen to configure FTP access this way?

Restarting IIS and/or the firewall device may help.

Rob
0
 

Author Comment

by:Ithizar
ID: 34200621
No, I didn't configure access through Public Server Wizard. I configured the rules manually.
0
 
LVL 6

Assisted Solution

by:fluk3d
fluk3d earned 1000 total points
ID: 34200827

Here is how I configure all SonicWALL devices

You will need 3 NAT policies

1st policy - loopback

Original Source: X0/Firewalled Subnets
Translated Source: Address Object-WAN IP
Original Dest: Address Object-WAN IP
Translated Dest: Address Object-LAN IP
Original Service: FTP Services (21,20)
Translated Service: Original
Inbound: Any
Outbound: Any

2nd policy - outbound

Original Source: Address Object-LAN IP
Translated Source: Address Object-WAN IP
Original Dest: Any
Translated Dest:Original
Original Service: FTP Services (21,20)
Translated Service: Original
Inbound: Any
Outbound: WAN


3rd policy - inbound

Original Source: Any
Translated Source: Original
Original Dest: Address Object-WAN IP
Translated Dest:Address Object-LAN IP
Original Service: FTP Services (21,20)
Translated Service: Original
Inbound: Any
Outbound: Any


Once you have this configured from the FTP server go to canyouseeme.org and test your open port 20,21

please keep in mind ftp is tricky because they use passive/active connections so depending on your ftp server you will need to adjust your client in order for it to make a successful inbound/outbound connection.

The best test is to use http://net2ftp.com and test it there as it will automatically test both passive/active. This is a public service so I advise to use an account with limited access.
0
Free Backup Tool for VMware and Hyper-V

Restore full virtual machine or individual guest files from 19 common file systems directly from the backup file. Schedule VM backups with PowerShell scripts. Set desired time, lean back and let the script to notify you via email upon completion.  

 
LVL 6

Expert Comment

by:fluk3d
ID: 34200845
Oh sorry I forgot to add under the firewall rules please make sure the following rules are setup

WAN -> LAN

Service: Your FTP services group
Source: Any
Destination: Address-Object WAN IP
Users allowed: All
Sche. : Always on

Also when making a ftp connection look at the firewall log file and see if the firewall is dropping packets. You can use the filter by placing your private ip/public ip so you can focus on that connection rather than everything zipping through the log file.
1
 
LVL 6

Expert Comment

by:fluk3d
ID: 34200856
First and foremost ensure your FTP server is working internally before making it publically available. Can you use a ftp client, or dos/ftp and ftp into the host internally?
0
 
LVL 33

Expert Comment

by:digitap
ID: 34200867
Here are some steps in a KB for setting up the ports with some troubleshooting tips.  however, fluk3d has some very nice steps above that should work for you.

https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=7508
0
 

Author Comment

by:Ithizar
ID: 34201177
Thanks for the advice!

I tried all of the steps outlined by fluk3d, but unfortunately with no change. I also tested the FTP server by connecting from an internal IP address, and the connection worked fine.

Lastly, I looked at the firewall log, and filted by the outside IP address I am trying to connect with. There was only one entry for that Ip address, a single notice that a UDP packet had been dropped on port 21331. But I have made many, many attempts to connect from the IP address, that that was the one and only error. Nothing consistent. Also, I tried filtering by the internal IP address of the receiving server, and there were no logged events at all.

Unfortunately, I am still having the same problem.
0
 

Author Comment

by:Ithizar
ID: 34201185
I should also mention that I tested ports 20 and 21 with canyouseeme.org, and both reported as open. But there should be nothing at the server level that is filtering out traffic on those ports, and the FTP server software is reporting no incoming connection attempts. So it still seems like traffic is not making it to the server.
0
 

Author Comment

by:Ithizar
ID: 34201263
Here's a further oddity: If I connect using telnet as a test (telnet xxx.xxx.xxx.xxx 21) from the internal network, I get connected and get the FTP server's welcome message. If I try that same thing from an outside IP address, I -do- get connected. However, I am presented with a blank screen and any commands I attempt to enter are not responded to. I am not sure what I could possibly be connecting to in that case.
0
 
LVL 33

Accepted Solution

by:
digitap earned 1000 total points
ID: 34201307
you're not getting routed properly back out.  what i'd recommend is deleting your firewall access rules, NAT policies and address objects thus far.  run the public server wizard.  then, see how you fair.
0
 

Author Comment

by:Ithizar
ID: 34201520
This is getting frustrating. :) I did as you suggested and deleted all the access rules, NAT policies and address objects that I had created as part of this attempt. I then ran the Public Server Wizard for the FTP server. It said everything was created successfully, but the result is the same.

I suppose this could be an issue not with the firewall, but with the server itself or something in between, but I just can't think of where that would be. There is no firewall software running on the server and the FTP server console is not showing any incoming connection attempts.
0
 

Author Comment

by:Ithizar
ID: 34201582
Interesting. I tried using the wizard to point to an FTP server on a different machine. And it did exactly the same thing. So then I just tried deleting ALL the access and NAT rules that had been created and having no access rule to allow FTP connections. And it -still- did the same thing. You can still connect to the external IP and it will say it connects. And if you connect via Telnet, it doesn't refuse the connection. It connects, but just has a blank screen. It's as though the SonicWall itself is intercepting and responding to the FTP connections. But that's not possible, is it?
0
 
LVL 33

Expert Comment

by:digitap
ID: 34201592
what version of firmware are you running on your 210?
0
 
LVL 15

Expert Comment

by:getzjd
ID: 34201644
Run the public server wizard, , also keep in mind that you will need additional ports opened for the pasv command.  What is your FTP server
0
 
LVL 6

Expert Comment

by:fluk3d
ID: 34201648
try upgrading the firmware as digitap is going to suggest or start a packet capture it will give you some insight on what is happening also is the gateway of the FTP server the sonicwall LAN ip?
0
 
LVL 15

Expert Comment

by:getzjd
ID: 34201666
Most FTP server software will allow you to specify pasv ports

Here is a clip from the Serv-u page

Configuring The Passive Port Range
If UPnP is not available on your network device, you will have to manually configure Serv-U and your device to work with a known passive port range. When configuring a router on the network, the correct port ranges must be forwarded through the router to the computer that Serv-U is installed on. By default, Serv-U uses the standard FTP port number of 21, but any port can be specified as long as it port is not in use by another application on the computer. Additionally, the PASV port range (typically 50000-50004) must be forwarded to the server. With these ports being forwarded in your router, and any firewalls configured to allow FTP traffic through, clients will be able to connect to the server and transfer data.

Our Online Knowledge Base contains many articles targeted at ensuring Serv-U is properly configured in this environment. Below are links to some popular articles that assist in configuring typical home routers. The principles used in these articles can be applied to assist in configuring some of the more complex corporate level routers. Additional articles explain how to configure the PASV port range in Serv-U and how to add Serv-U as an approved application in the Windows Firewall.

Configuring a PASV port range with Serv-U:
http://www.RhinoSoft.com/Knowledgebase/KBArticle.asp?RefNo=1044

LinkSys router:
http://www.RhinoSoft.com/Knowledgebase/KBArticle.asp?RefNo=1689

D-Link router:
http://www.RhinoSoft.com/Knowledgebase/KBArticle.asp?RefNo=1688

NetGear router:
http://www.RhinoSoft.com/Knowledgebase/KBArticle.asp?RefNo=1690

Configuring the Windows Firewall:
http://www.RhinoSoft.com/Knowledgebase/KBArticle.asp?RefNo=1384

0
 
LVL 33

Expert Comment

by:digitap
ID: 34201697
did you review the KB i included above?  it indicates ports 20/21 for FTP.
0
 

Author Comment

by:Ithizar
ID: 34201720
Firmware version is SonicOS Enhanced 5.1.3.1-32o.

Yes, the gateway IP address of the FTP server is the firewall's LAN interface IP.

I'm afraid I'm not familiar enough with the packet capture feature to make heads or tails of what it's telling me.
0
 

Author Comment

by:Ithizar
ID: 34201727
Also, I am doing all this testing with the Windows command-line FTP client which, at least according to my understanding, is active-only and does not support passive connections. Therefore, unless I'm mistaken, passive ports would not be an issue here.
0
 

Author Comment

by:Ithizar
ID: 34201744
Is there any way to just make a connection attempt and then see exactly how the firewall dealt with that connection attempt? I am assuming packet capture can manage this for me, but so far I have been unable to sort out how to use that effectively. Thanks.
0
 
LVL 6

Expert Comment

by:fluk3d
ID: 34201773
I'm on my phone right now however there should be a kb showing you how a packet capture works it will show you exactly what is happening with the tcp connection you can also try calling sonicwall support they might have some insight
0
 
LVL 15

Expert Comment

by:getzjd
ID: 34201805
have you looked at the Sonicwall logs to see what, if anything, is being blocked?
0
 
LVL 33

Expert Comment

by:digitap
ID: 34201811
look at the following KB...it's awful, but it has a little information.

https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=6003
0
 
LVL 8

Expert Comment

by:rjwesley
ID: 34208283
When you ran the public wizard, did you use the default FTP service, if so you can try creating a new FTP service such CompanyFTP, using the port range 20 - 21.

Choose Public Server Wizard > Next > Change Server Type to OTHER > Change --Select a service-- to Create New Service

Name: CompanyNameFTP -> IP Type TCP(6) > Port Range 20 - 21 > Click Ok (sorry can't go through the rest of the wizard on my sonic box).

Rob
0
 
LVL 33

Expert Comment

by:digitap
ID: 34208296
the instructions i posted indicate using ports 20 and 21 which i emphasized here, http:#a34201697.
0
 
LVL 6

Expert Comment

by:fluk3d
ID: 34208674
Based on your responses it appears all your rules/nat policies/address objects are correct. The underlying problem is either the server or the firewall itself.

If you have some downtime scheduled I would preform a full wipe of the unit (restore to factory) and reconfigure it using the public server wizard.

Also if you were able to figure out how to run a packet capture it would tell us if the firewall is forwarding/dropping the tcp packet or not. If you can save the pcap file here and we can look at it and give you some more insight of the problem.

0
 
LVL 33

Expert Comment

by:digitap
ID: 34208944
here are steps to capture syslog data:

https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=5106


you can also use the packet monitor.  go to System > Packet Monitor.  Then, click the Configure button.  click the monitor filter tab.  in the interface section, type x1.  in the source IP type the source public IP address you want to monitor for.  you can add other IPs in here whether source or destination that you want to monitor.

click OK and click the Start Capture button.  you'll need to click the refresh button to get the data to appear in the little window below.  start your FTP session and see what appears.
0
 
LVL 33

Expert Comment

by:digitap
ID: 34239999
so, what did your final solution look like?
0
 

Author Comment

by:Ithizar
ID: 34244224
Well, it's rather embarrassing, really. :) Apparently, when you suggested that I clear all the rules and run the Public Server Wizard, that actually worked. But, unfortunately, the computer I was testing problem had, unbeknownst to me, a problem of its own that was preventing it from making a successful FTP connection. Once I tried it from another computer, it worked. So the Public Server Wizard and its standard FTP configuration was, in fact, the solution!

Thanks for the help, and sorry for the confusion!
0
 
LVL 33

Expert Comment

by:digitap
ID: 34245016
no worries.  we all have our moments.  i'm just glad it's working and thanks for the extra clarification....and the points!
0
 

Expert Comment

by:Gustavo Reguerin
ID: 41776381
On fluk3d comment had a little mistake, the correct rule is:

WAN -> LAN

Service: Your FTP services group
Source: Any
Destination: "Address-Object LAN IP" .... not Address-Object WAN IP
Users allowed: All
Sche. : Always on
0

Featured Post

Identify and Prevent Potential Cyber-threats

Become the white hat who helps safeguard our interconnected world. Transform your career future by earning your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Originally, this post was published on Monitis Blog, you can check it here . It goes without saying that technology has transformed society and the very nature of how we live, work, and communicate in ways that would’ve been incomprehensible 5 ye…
Unable to change the program that handles the scan event from a network attached Canon/Brother printer/scanner. This means you'll always have to choose which program handles this action, e.g. ControlCenter4 (in the case of a Brother).
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…

825 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question