Solved

Sonciwall tz-210 open ports 60000-60100 to connect to EXTERNAL FTP SERVER PASSIVE

Posted on 2011-02-11
34
3,007 Views
Last Modified: 2012-05-11
I was asked by a client to connect to their FTP server. I was told I need to open ports in MY firewall to connect to THEIR ftp server since it uses passive ftp.

Firstly this sounds wrong to me, but I learn new things everyday so who knows.

Secondly how do I accomplish this using the Sonicwall tz-210 I am behind right now. I am the admin so I can make conf changes.

Could someone enlighten me and walk me through this?

Thanks
0
Comment
Question by:MaxDes101
  • 17
  • 17
34 Comments
 
LVL 33

Expert Comment

by:digitap
ID: 34873224
Here is a KB on how to open the ports.  if you are concerned about the security aspect of opening up these ports, confirm with them, the public IP addresses they'll be using.  change the WAN > LAN firewall rule for the source from Any to their public IP address.  this way ONLY their FTP server will be allowed in through your firewall to your internal client.

https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=3718

regarding ftp and why the ports need opened, there can be issues with active FTP in the two-way communication that is established between the client and server.  using passive typically resolves that, however if they are using non-standard ports, then you may need to open up your firewall for them.

https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=3951

0
 

Author Comment

by:MaxDes101
ID: 34873402
So can you help explain what I need to enter into the  NAT portion? Can I just have it allow any LAN subnet to access the external FTP server? I have included the picture of what I am seeing. NAT form
0
 
LVL 33

Accepted Solution

by:
digitap earned 500 total points
ID: 34873523
first thing, create a new service object for the ports you need.  go to firewall > services.  scroll down to the service objects and click Add Object.  use the settings i have attached in the screen shot.

then, go to network > address objects and create a new address object representing the public IP address.  make it a host and on the WAN zone.

then, go back to create a new NAT policy.  based on your picture, you want the different fields to say this:

Original Source: Any
Translated Source: Original
Original Destination: WAN IP
Translated Destination: LAN Subnets
Original Service: Service Object You Created.
Translated Service: Original
Inbound Interface: Any
Outbound Interface: Any

Save the new NAT policy.

Then, create a WAN > LAN firewall rule.

Source: Address Object of the public FTP server IP
Destination: LAN Subnets
Service: Any
0
 
LVL 33

Expert Comment

by:digitap
ID: 34873536
forgot the screen shot.
greenshot-2011-02-11-12-06-09.jpg
0
 

Author Comment

by:MaxDes101
ID: 34873662
I have tried both ways but to be clear when you said:

"then, go to network > address objects and create a new address object representing the public IP address.  make it a host and on the WAN zone."

You mean the public IP of the server I'm connecting to or my own public IP for the firewall/
0
 
LVL 33

Expert Comment

by:digitap
ID: 34873692
you want to use the public IP address of their ftp server.  you could create a firewall rule to allow Any as the source just to make sure everything works.  however, if you wanted to lock things down more securely, you could change the source of the WAN > LAN firewall rule to their FTP server's public IP address.

it's possible there may be more than one public IP address.  if they have some "round robin" configuration where you use a URL instead of a public IP to connect to their FTP server, then you'd need to get the list of public IP addresses they'll use, create an address object for each one and add them to an address group.  you'd then use this as the source in your WAN > LAN firewall rule.
0
 

Author Comment

by:MaxDes101
ID: 34873790
You've been great.
Pretty sure I have everything as you said it was supposed to be, but I'm still timing out on their server.

They do provide public IPs to connect to and I tried it as both a range and a host with no luck.

All I get is a time-out.

Frustrating.

0
 
LVL 33

Expert Comment

by:digitap
ID: 34873850
ok...let's look at the log on the firewall.  go to Log > Categories.  make sure log level is debug.  then, you'll see a bunch of categories that you can select.  if you check the box at the top of each column, you select the categories for the whole column.  you want to select everything.  go back to your log and initiate an FTP session.  see anything?

also, you might make sure the sonicwall isn't blocking FTP access.  go to security services > Gateway AV.  remove the check box for FTP and save the settings.  try another session.
0
 
LVL 33

Expert Comment

by:digitap
ID: 34873866
something to consider, the instructions indicate making a NAT rule to the host on the LAN subnet.  without a reciprical NAT policy, we may not be getting good NAT mapping.  if the suggestions above fail, you might try creating a new address object representing the host on the LAN subnet.  then, go to your NAT policy and change the Translated Destination to the new address object.

make the new object a host and on the LAN zone.
0
 

Author Comment

by:MaxDes101
ID: 34873921
TCP handshake violation detected; TCP connection dropped
0
 

Author Comment

by:MaxDes101
ID: 34874099
And now I get no other log messages when I attempt a connection. Have tried the other NAT solution and still no luck. I'm starting to wonder if their server/firewall isn't configured correctly....
0
 
LVL 33

Expert Comment

by:digitap
ID: 34874212
i can't think of anything else without seeing your setup on the sonicwall...i'll have to think some more.
0
 

Author Comment

by:MaxDes101
ID: 34874253
hhhmmm dang. and due to hipaa regulations I cannot have you log in or anything. Thanks for your help.
0
 
LVL 33

Expert Comment

by:digitap
ID: 34874309
let's have a look at the monitor.  system > packet capture.  you'll want to configure a capture for the X1 interface and the source IP be your private IP.  make sure the check box for port matching is checked.

start another ftp session.  see if anything is dropped.
0
 

Author Comment

by:MaxDes101
ID: 34874413
Not seeing anything at all. tried with and without dest IP. added pic for my settings. packetmon
0
 
LVL 33

Expert Comment

by:digitap
ID: 34874446
ok...try leaving out the source ports and IP types.
0
 

Author Comment

by:MaxDes101
ID: 34874456
But I am seeing on the x0 interface that my traffic gets forwarded to that address.  
X0 10.1.2.63      outsideIPhere     IP       TCP      20422,21    forwarded
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 33

Expert Comment

by:digitap
ID: 34874468
so, it's going out as port 21...hmmm
0
 
LVL 33

Expert Comment

by:digitap
ID: 34874481
then, let's change things and remove the source IP.  we're looking for dropped packets.  then, we need to confirm if the ports they designated are the correct ports to begin with.  on your FTP client, have you had to specify that you want to use Passive FTP?
0
 

Author Comment

by:MaxDes101
ID: 34874513
yes. passive is selected in Filezilla.

ok with source IP gone I see:

my router pub IP   destination server IP    IP  TCP    35946,21  Forwarded.
0
 

Author Comment

by:MaxDes101
ID: 34874560
in passive FTP it still uses the initial port 21 for connections right? So if it doesn't get a comand port connection on 21 I would never be able to connect to the remote server....

Does that even sound logical? heh.
0
 
LVL 33

Expert Comment

by:digitap
ID: 34874573
with just the X1 interface monitored, you should see something coming back from them.  if there was traffic being returned, you'd see it being dropped in the monitor @ the X1 interface.  i take it you aren't seeing that, right?
0
 

Author Comment

by:MaxDes101
ID: 34874575
his is what I received from their IT people about my connection.....

Command port is 21
Data ports are 60000-60100 (for passive ftp)

0
 

Author Comment

by:MaxDes101
ID: 34874589
Not seeing anything coming back from them at all.... in fact I ended up doing a stealth scan earlier just to verify there was in fact something on that IP address.
0
 
LVL 33

Expert Comment

by:digitap
ID: 34874619
what if you tried using explorer to access the ftp site?  what happens?
0
 

Author Comment

by:MaxDes101
ID: 34874646
as such:

ftp://170.201.109.228/

?

if that's the correct syntax then it just times out like filezilla.
0
 
LVL 33

Expert Comment

by:digitap
ID: 34874732
there has to be something going on with their end.  without any of the configuration settings you have on your sonicwall, my packet monitoring gives me the same thing.  i see the initial port 21 as passive ftp does then i see the random port initiated by the ftp client.  however, i don't see the response from the server.  now, something that i don't understand, the client is supposed to initiate the ports to the server and i don't see those ports being initiated within the range specified....60000 - 60100.

something's wrong.
0
 

Author Comment

by:MaxDes101
ID: 34874749
I don't even see where you COULD specify the passive port range. In fact when looking through documentation only the server seems to have that option.  Via reading online it seems to me that their server is just not responding correctly or at all:
Passive FTP

In order to resolve the issue of the server initiating the connection to the client a different method for FTP connections was developed. This was known as passive mode, or PASV, after the command used by the client to tell the server it is in passive mode.

In passive mode FTP the client initiates both connections to the server, solving the problem of firewalls filtering the incoming data port connection to the client from the server. When opening an FTP connection, the client opens two random unprivileged ports locally (N > 1023 and N+1). The first port contacts the server on port 21, but instead of then issuing a PORT command and allowing the server to connect back to its data port, the client will issue the PASV command. The result of this is that the server then opens a random unprivileged port (P > 1023) and sends the PORT P command back to the client. The client then initiates the connection from port N+1 to port P on the server to transfer data.

From the server-side firewall's standpoint, to support passive mode FTP the following communication channels need to be opened:

    * FTP server's port 21 from anywhere (Client initiates connection)
    * FTP server's port 21 to ports > 1023 (Server responds to client's control port)
    * FTP server's ports > 1023 from anywhere (Client initiates data connection to random port specified by server)
    * FTP server's ports > 1023 to remote ports > 1023 (Server sends ACKs (and data) to client's data port)
0
 

Author Comment

by:MaxDes101
ID: 34874752
Thanks again for all of your help!
0
 
LVL 33

Expert Comment

by:digitap
ID: 34874772
yes, i saw that too.  i looked through my filezilla installation and i don't see where that's specified.  seems the ftp server is "listening" on ephemeral ports 60000-60100 and the filezilla client knows that passive ftp could use port 1024 through 65535.  if you don't tell your ftp server to listen to that port range, then you have to tell your ftp client to use that port range.

it shouldn't be this difficult...all fingers are pointing at them?  even if you opened up NAT for the 1024 - 65535 port range, if their server isn't expecting that port range, then the connection will fail.  i think that's why were not seeing packets from their server being dropped.
0
 

Author Comment

by:MaxDes101
ID: 34874811
My thoughts as well.
0
 
LVL 33

Expert Comment

by:digitap
ID: 34874874
perhaps you can change the ephemeral port range on the client side.

Microsoft Windows

As of Windows Vista and Windows Server 2008, Windows now uses a large range (49152-65535) by default, according to Microsoft Knowledgebase Article 929851. That same article also shows how you can change the range if desired, but the default range is now sufficient for most servers.

For older Windows operating systems (Windows XP and older), Windows uses the traditional BSD range of 1024 through 4999 for its ephemeral port range.  Unfortunately it appears that you can only set the upper bound of the ephemeral port range.  Here is information excerpted from Microsoft Knowledgebase Article 196271:

    * Start Registry Editor (Regedt32.exe).
    * Locate the following key in the registry:
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
    * On the Edit menu, click Add Value, and then add the following registry value:

      Value Name: MaxUserPort Data Type: REG_DWORD Value: 65534 <for example>

      Valid Range: 5000-65534 (decimal) Default: 0x1388 (5000 decimal)

      Description: This parameter controls the maximum port number used when an application requests any available user port from the system. Normally, ephemeral (that is, short-lived) ports are allocated between the values of 1024 and 5000 inclusive.
    * Quit Registry Editor.

Note: There is another relevant KB article (812873) which claims to allow you to set an exclusion range, which could mean that you could exclude ports 1024-9999 (for example) to have the ephemeral port range be 10000-65534. However, we have not been able to get this to work (as of October 2004).

ref: http://www.ncftp.com/ncftpd/doc/misc/ephemeral_ports.html
0
 

Author Comment

by:MaxDes101
ID: 34874979
I'm going to shy away from registry edits for an issue that is most likely on their end. I'm trying to get in touch with their IT group to fix this issue.
0
 
LVL 33

Expert Comment

by:digitap
ID: 34874987
i agree.
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Remote access Sonicwall for mangement 12 94
Watchguard XTM 2 51
Sonicwall multiple ISP configuration 5 26
ipsec tunnel comme not up 10 20
Occasionally, we encounter connectivity issues that appear to be isolated to cable internet service.  The issues we typically encountered were reset errors within Internet Explorer when accessing web sites or continually dropped or failing VPN conne…
Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now