joshuasanders
asked on
IIS & Natting
I have an IIS server configured on my protected DMZ hanging off a Juniper firewall. The firewall is set to NAT all traffic through a public IP to my DMZ subnet IP. When my user connects to the server I get the following error
Response: 250 CWD command successful.
Command: TYPE I
Response: 200 Type set to I.
Command: PASV
Response: 227 Entering Passive Mode (192,168,1,130,150,105).
Status: Server sent passive reply with unroutable address. Using server address instead.
When I go into the IIS properties for the site, my IP address just says (All Unassigned). Do I need to put my public IP address in hear even though the NIC on the server is set to a private 192 address?
Response: 250 CWD command successful.
Command: TYPE I
Response: 200 Type set to I.
Command: PASV
Response: 227 Entering Passive Mode (192,168,1,130,150,105).
Status: Server sent passive reply with unroutable address. Using server address instead.
When I go into the IIS properties for the site, my IP address just says (All Unassigned). Do I need to put my public IP address in hear even though the NIC on the server is set to a private 192 address?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Also FYI,
Network address translation (NAT) routers have become very common lately as they are inexpensive and offer an easy way to set up a simple network. They are often used in corporate environments to isolate a test platform and are popular with home users as an easy way to share a broadband Internet connection amongst multiple computers in the household. Difficulties arise, however, because without proper configuration, the router will block access to your IIS server. A technology called "port forwarding" is used to enable access to the server from the outside world. In simple terms, the router is instructed to forward all requests it receives on a certain port to a specific computer on its network. While the standard port for HTTP traffic is 80, this can also be used for alternate available ports.
Most NAT routers have an embedded Web server that is used for configuration. Consult your documentation for the specific URL to use to connect. Once connected, look for Port Forwarding as one of the options to configure. The common way to configure this is to identify:
The service (HTTP in this case)
The port range you want to forward (port 80 by default for Web traffic)
The IP address to which you want to route all requests (the IP address of your server)
Because you need to statically map the port forwarding, it's best to assign a static IP for your server and not rely on DHCP. This technique can also be used for other services that you want to provide, such as SMTP, NNTP, or FTP. These services would be configured in the same way, except that you would forward the appropriate ports for each service. For specific instructions for your router, consult the manufacturer's Web site. Manufacturers typically offer documentation, pointers, and answers to frequently asked questions in their support areas.
An alternate method is to place your server in what might be called the Neutral Zone. While the router will still assign a static or dynamic IP for your server, the router will not block any requests and will therefore leave your box wide open for attacks. Make sure you have either a good software or hardware firewall protecting that server.
One final note: If you are a home user, please make sure you are not violating your Internet service provider's (ISP) Terms of Service as many broadband providers prohibit their home users from running servers. In many cases, ISPs will even block inbound port 80 traffic on their networks, making port 80 unusable for this type of use.
(this was originally published in the November 2005 edition of the IIS Insider)
HTH
Vikrant
Network address translation (NAT) routers have become very common lately as they are inexpensive and offer an easy way to set up a simple network. They are often used in corporate environments to isolate a test platform and are popular with home users as an easy way to share a broadband Internet connection amongst multiple computers in the household. Difficulties arise, however, because without proper configuration, the router will block access to your IIS server. A technology called "port forwarding" is used to enable access to the server from the outside world. In simple terms, the router is instructed to forward all requests it receives on a certain port to a specific computer on its network. While the standard port for HTTP traffic is 80, this can also be used for alternate available ports.
Most NAT routers have an embedded Web server that is used for configuration. Consult your documentation for the specific URL to use to connect. Once connected, look for Port Forwarding as one of the options to configure. The common way to configure this is to identify:
The service (HTTP in this case)
The port range you want to forward (port 80 by default for Web traffic)
The IP address to which you want to route all requests (the IP address of your server)
Because you need to statically map the port forwarding, it's best to assign a static IP for your server and not rely on DHCP. This technique can also be used for other services that you want to provide, such as SMTP, NNTP, or FTP. These services would be configured in the same way, except that you would forward the appropriate ports for each service. For specific instructions for your router, consult the manufacturer's Web site. Manufacturers typically offer documentation, pointers, and answers to frequently asked questions in their support areas.
An alternate method is to place your server in what might be called the Neutral Zone. While the router will still assign a static or dynamic IP for your server, the router will not block any requests and will therefore leave your box wide open for attacks. Make sure you have either a good software or hardware firewall protecting that server.
One final note: If you are a home user, please make sure you are not violating your Internet service provider's (ISP) Terms of Service as many broadband providers prohibit their home users from running servers. In many cases, ISPs will even block inbound port 80 traffic on their networks, making port 80 unusable for this type of use.
(this was originally published in the November 2005 edition of the IIS Insider)
HTH
Vikrant
It seems to me that your trying to run an FTP server in the DMZ, not a web server, correct? If yes, I'll explain...
That's why said yes. Because the commands listed are for FTP and passive FTP requires the ip of the wan port as well as a port range forwarded to it.
ASKER
Yes, running an FTP server on IIS on a DMZ running on a Juniper SRX240. I also neglected to inform you that I have users who FTP from inside my corporate LAN to this machine's private IP address. l just received a call that it's not working for them, probably because of the change I made for them. I'm wondering if I should create a second site in IIS with the private IP address listed pointing the identical folder.
Tell them to try setting their FTP client to active mode.
ASKER
I think it's a server app connecting to me but I'm not sure. Should I have two sites configured in IIS to reflect the two accesses? One for the private IP and one for the public IP.
As was mentioned, with FTP it's an active/passive FTP issue... that's why I was confirming that it was FTP.... when you are doing 'simple' NAT translations between the inside (DMZ) and outside (Internet for example), NAT creates a problem because the IP of the server is embedded in the packet headers.
The bigger problem arises when you have the client on one side behind a simple NAT device and the server on the other side behind it's own simple NAT device. In this case, it is very difficult to make it work.... THIS may be your problem, if as you say it's a "server app" connecting to you...
To get around this, you either need to use a firewall that is application layer aware and can alter the FTP header with the public IP of the firewall (many do), or the FTP server needs to be able to alter it's responses to non-local FTP traffic (IIS cannot, others, like WS_FTP Server can).
Look in the Juniper setup and see if there is any specific configuration for FTP....
This is a pretty good explanation of it all: http://www.ncftp.com/ncftpd/doc/misc/ftp_and_firewalls.html
The bigger problem arises when you have the client on one side behind a simple NAT device and the server on the other side behind it's own simple NAT device. In this case, it is very difficult to make it work.... THIS may be your problem, if as you say it's a "server app" connecting to you...
To get around this, you either need to use a firewall that is application layer aware and can alter the FTP header with the public IP of the firewall (many do), or the FTP server needs to be able to alter it's responses to non-local FTP traffic (IIS cannot, others, like WS_FTP Server can).
Look in the Juniper setup and see if there is any specific configuration for FTP....
This is a pretty good explanation of it all: http://www.ncftp.com/ncftpd/doc/misc/ftp_and_firewalls.html
Not sure about Junipers. However on Cisco IOS routers, there is a function called IP inspect. This is enabled by entering "IP Inspect <name of inspection rule> ftp"
Then, applying it to the inside facing interface (usually VLAN1, or an ethernet interface) with "ip inspect <name of inspection rule> in"
Then, applying it to the inside facing interface (usually VLAN1, or an ethernet interface) with "ip inspect <name of inspection rule> in"
ASKER
actually, my original question was
"Do I need to put my public IP address in hear even though the NIC on the server is set to a private 192 address?"
The answer of "yes" answered it to my satisfaction. There was a lot of follow up but my main issue was the server was responding with a private IP address to a host on the Internet. I needed to know if the IIS change would clear that issue up.
Feel free to re-close the question and award the points as originally awarded.
Thank you.
Joshua Sanders
"Do I need to put my public IP address in hear even though the NIC on the server is set to a private 192 address?"
The answer of "yes" answered it to my satisfaction. There was a lot of follow up but my main issue was the server was responding with a private IP address to a host on the Internet. I needed to know if the IIS change would clear that issue up.
Feel free to re-close the question and award the points as originally awarded.
Thank you.
Joshua Sanders
You don't need to configure your Public IP on SERVER NIC, could you please read my above comment i told you, "port forwarding" is used to enable access to the server from the outside world. In simple terms, the router is instructed to forward all requests it receives on a certain port to a specific computer on its network. While the standard port for HTTP traffic is 80 & standard port for FTP traffic is 21, this can also be used for alternate available ports.
HTH
Vikrant
HTH
Vikrant
ASKER
heh, dude! I know what port forwarding is, been doing the Netadmin thing now for about 10 years. lol. I wasn't talking about the IP settings on the NIC. I was talking about inside the IIS settings for the FTP site.
untitled.JPG
untitled.JPG
Most importantly, does it work after doing that?
ASKER
Well the incessant chattering from the end user immediately ended but I'm still waiting for a more direct form of communication (telephone, email) to actually confirm this. :)
joshuasanders,
It's strange If you are working as Netadmin from 10 years, then why you asked this type of question,
lol
unbelievable, I don't need point,
HI Zone moderator, please go with joshuasanders,
It's strange If you are working as Netadmin from 10 years, then why you asked this type of question,
lol
unbelievable, I don't need point,
HI Zone moderator, please go with joshuasanders,
& for your information, I didn't incessant chattering,
You must understand, I had object for 'YES" , you accepted only that thing, this is not for playing forum, please closed this issue here
You must understand, I had object for 'YES" , you accepted only that thing, this is not for playing forum, please closed this issue here
ASKER
wow dude, relax.
First of all, netadmin....not sysadmin. I'm familiar with network equipment (routers, switches, & most importantly.....firewalls (port forwarding thing). My familiarity with IIS however is limited. Therefore my question was related to the inner working of IIS, hence the primary tag and zone for the question.
Secondly, I wasn't referring to you with the incessant chattering. I was referring my end user who was complaining about his app not working. I'm certainly not playing around on this board. I had a question and that question was answered. It was short and direct but it answered my question.
First of all, netadmin....not sysadmin. I'm familiar with network equipment (routers, switches, & most importantly.....firewalls (port forwarding thing). My familiarity with IIS however is limited. Therefore my question was related to the inner working of IIS, hence the primary tag and zone for the question.
Secondly, I wasn't referring to you with the incessant chattering. I was referring my end user who was complaining about his app not working. I'm certainly not playing around on this board. I had a question and that question was answered. It was short and direct but it answered my question.
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
You don't need to configure public IP address on Local System,
For Internally use a fixed IP for your web server. Externally, if you have a non-static IP look at dynamic dns services like no-ip.com and zoneedit.com, You must forward http traffic through your nat router. And make sure your ISP doesn't block http.
HTH