andrewprouse
asked on
Server 2008 IIS7 FTP through Cisco 877w firewall
Issues trying to setup FTP on Server 2008 through a Cisco 877w firewall.
Local LAN client can connect via FTP to the ftp data share fine, but external clients are presented with a login box, then it fails to load a folder structure.
If i try to telnet from an external source to our firewall's external address on port 21 it connects fine. If I try on port 20 it fails. If I set the range within IIS to 65500-65500 then try to connect on that port it also fails.
All of the relevant ports are open on the firewall, and all ports are added to the NAT config as required.
Windows firewall is disabled.
Any ideas??
Cheers, Andy
Local LAN client can connect via FTP to the ftp data share fine, but external clients are presented with a login box, then it fails to load a folder structure.
If i try to telnet from an external source to our firewall's external address on port 21 it connects fine. If I try on port 20 it fails. If I set the range within IIS to 65500-65500 then try to connect on that port it also fails.
All of the relevant ports are open on the firewall, and all ports are added to the NAT config as required.
Windows firewall is disabled.
Any ideas??
Cheers, Andy
Are you forwarding both ports 20 and 21? if so, remove forwarding for port 20 and only forward port 21 and test. forwarding them both can cause issues.
Also, from within your network go to http://canyouseeme.org and enter the port to double check to see if it is being seen as open from external.
Another possiblility though doubtful, is that there might be an ACL blocking ftp traffic? worth checking.
Also, from within your network go to http://canyouseeme.org and enter the port to double check to see if it is being seen as open from external.
Another possiblility though doubtful, is that there might be an ACL blocking ftp traffic? worth checking.
here is a good article on how FTP works. might shed some light on your issue.
http://slacksite.com/other/ftp.html
http://slacksite.com/other/ftp.html
ASKER
Hi guys,
Thanks for the replies.
Using canyouseeme.org I can see myself on port 21, but not on port 20 or on the port set within IIS (65500). All of the above ports are allowed through the Router & NAT so I'm guessing the issue is with the IIS config.
Really not sure where to go from here...
Thanks for the replies.
Using canyouseeme.org I can see myself on port 21, but not on port 20 or on the port set within IIS (65500). All of the above ports are allowed through the Router & NAT so I'm guessing the issue is with the IIS config.
Really not sure where to go from here...
Try my suggestion. If the log is confusing post it here and we'll help sort it out. Be sure the log doesn't contain your password.
ASKER
Hi Alex,
Sorry, you've lost me with your initial post.
What software would you recommend I use?
I take it I run this software on the server and not the client?
Sorry, you've lost me with your initial post.
What software would you recommend I use?
I take it I run this software on the server and not the client?
You need to see what the client sees.
1. Download and install the trial version of Robo-FTP on an external computer. Be sure you are logged in as an administrator when installing this software.
2. On the same external computer, save the following code in a text file and change the filename to test.s
4. Drill down to the c:\Program Filesblahblahblah folder where Robo-FTP is installed and find the my_trace.log file. It was just created so it is easy to find if you sort descending by date.
5. Look for the server's response to the PASV command and decipher the last two numbers as shown above to find the data channel port. Then do the same for the PORT command that appears lower in the log. If you are not sure you can just post the trace log file here and we'll help you figure it out.
1. Download and install the trial version of Robo-FTP on an external computer. Be sure you are logged in as an administrator when installing this software.
2. On the same external computer, save the following code in a text file and change the filename to test.s
;; enable logging
TRACELOG "my_trace.log"
;; try passive mode
FTPLOGON "ftp.myserver.com" /user="UserID" /pw="secret"
FTPLIST
FTPLOGOFF
;; try active mode
FTPLOGON "ftp.myserver.com" /user="UserID" /pw="secret" /pasv=false
FTPLIST
FTPLOGOFF4. Drill down to the c:\Program Filesblahblahblah folder where Robo-FTP is installed and find the my_trace.log file. It was just created so it is easy to find if you sort descending by date.
5. Look for the server's response to the PASV command and decipher the last two numbers as shown above to find the data channel port. Then do the same for the PORT command that appears lower in the log. If you are not sure you can just post the trace log file here and we'll help you figure it out.
ASKER
Thank you so much for the instructions!!
PASV= [external ip of FTP server] , 255 , 220
PORT= [local IP of client] , 141 , 174
It says throughout that it managed to logon successfully and get directory listing etc...strange.
I've also now just checked connectivity from that client and it can log onto the ftp server and can open some test .txt files that I left on it!
Is this just coincidence because I ran the Robo-FTP utility??
I'll try to find another external FTP client to test from.
PASV= [external ip of FTP server] , 255 , 220
PORT= [local IP of client] , 141 , 174
It says throughout that it managed to logon successfully and get directory listing etc...strange.
I've also now just checked connectivity from that client and it can log onto the ftp server and can open some test .txt files that I left on it!
Is this just coincidence because I ran the Robo-FTP utility??
I'll try to find another external FTP client to test from.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Either way, it's working now, and I've learnt something in the process. Thank you!!
I'll extend the port range (that wasn't a typo), good idea.
Thanks again.
I'll extend the port range (that wasn't a typo), good idea.
Thanks again.
To decode the port number, convert each number to hex, then combine the two values, then convert back to decimal. For example, if the last two numbers are 252,21 the data port is supposed to be 64533...
252 = xFC
21 = x15
FC15 = 64533