[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 412
  • Last Modified:

Server 2008 IIS7 FTP through Cisco 877w firewall

Issues trying to setup FTP on Server 2008 through a Cisco 877w firewall.

Local LAN client can connect via FTP to the ftp data share fine, but external clients are presented with a login box, then it fails to load a folder structure.

If i try to telnet from an external source to our firewall's external address on port 21 it connects fine.  If I try on port 20 it fails.  If I set the range within IIS to 65500-65500 then try to connect on that port it also fails.

All of the relevant ports are open on the firewall, and all ports are added to the NAT config as required.

Windows firewall is disabled.

Any ideas??

Cheers, Andy
0
andrewprouse
Asked:
andrewprouse
  • 4
  • 4
  • 2
1 Solution
 
AlexPaceCommented:
The FTP control channel is blocked for the external.  Use a FTP client capable of logging the raw FTP activity.  You are looking for a PORT or PASV command from the client.  There will be 6 numbers, the first 4 are the IP address used for the data channel, the last 2 are the encoded port number.  

To decode the port number, convert each number to hex, then combine the two values, then convert back to decimal.  For example, if the last two numbers are 252,21 the data port is supposed to be 64533...

252 = xFC
21 = x15
FC15 = 64533
0
 
Marius GunnerudSenior Systems EngineerCommented:
Are you forwarding both ports 20 and 21? if so, remove forwarding for port 20 and only forward port 21 and test.  forwarding them both can cause issues.

Also, from within your network go to http://canyouseeme.org and enter the port to double check to see if it is being seen as open from external.

Another possiblility though doubtful, is that there might be an ACL blocking ftp traffic? worth checking.
0
 
Marius GunnerudSenior Systems EngineerCommented:
here is a good article on how FTP works. might shed some light on your issue.

http://slacksite.com/other/ftp.html
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
andrewprouseAuthor Commented:
Hi guys,

Thanks for the replies.

Using canyouseeme.org I can see myself on port 21, but not on port 20 or on the port set within IIS (65500).  All of the above ports are allowed through the Router & NAT so I'm guessing the issue is with the IIS config.

Really not sure where to go from here...
0
 
AlexPaceCommented:
Try my suggestion.  If the log is confusing post it here and we'll help sort it out.  Be sure the log doesn't contain your password.
0
 
andrewprouseAuthor Commented:
Hi Alex,

Sorry, you've lost me with your initial post.  

What software would you recommend I use?

I take it I run this software on the server and not the client?
0
 
AlexPaceCommented:
You need to see what the client sees.  

1. Download and install the trial version of Robo-FTP on an external computer.  Be sure you are logged in as an administrator when installing this software.

2. On the same external computer, save the following code in a text file and change the filename to test.s
;; enable logging
TRACELOG "my_trace.log"
;; try passive mode
FTPLOGON "ftp.myserver.com" /user="UserID" /pw="secret"
FTPLIST
FTPLOGOFF
;; try active mode
FTPLOGON "ftp.myserver.com" /user="UserID" /pw="secret" /pasv=false
FTPLIST
FTPLOGOFF

Open in new window

3. Open the main Robo-FTP window and choose menu option File -> Execute Script File and then choose your new test.s file.  The script will run.  Close Robo-FTP.

4. Drill down to the c:\Program Filesblahblahblah folder where Robo-FTP is installed and find the my_trace.log file.  It was just created so it is easy to find if you sort descending by date.

5. Look for the server's response to the PASV command and decipher the last two numbers as shown above to find the data channel port.  Then do the same for the PORT command that appears lower in the log.  If you are not sure you can just post the trace log file here and we'll help you figure it out.
0
 
andrewprouseAuthor Commented:
Thank you so much for the instructions!!

PASV=     [external ip of FTP server] , 255 , 220
PORT=    [local IP of client] , 141 , 174

It says throughout that it managed to logon successfully and get directory listing etc...strange.

I've also now just checked connectivity from that client and it can log onto the ftp server and can open some test .txt files that I left on it!

Is this just coincidence because I ran the Robo-FTP utility??

I'll try to find another external FTP client to test from.



0
 
AlexPaceCommented:
255 = FF
220 = DC
FFDC = 65500

So when the client requested Passive Mode, the server told it to connect back on the external IP of the server, port 65500.  This matches what you explained in your original post so the server is behaving properly.  Was that a typo in your original post or did you really set the port range to 65000 - 65000 ??? You'll want more than one port available for passive mode.  You need at least one for each concurrent client.  If you never expect to have more than 5 people connected at any time you might still want to set the range to double that at least to leave room for future growth because its the last thing you'll think of to check when stuff stops working for some mysterious reason two years later.

141 = 8D
174 = AE
8DAE = 36270

When the client initiated Active Mode, it told the server to open the connection to the client's port 36270.  The DOS ftp.exe program can only do active mode.  I'm not sure if the DOS ftp.exe client allows you to specify the port to used in Active Mode but other FTP clients do, including Robo-FTP.

Robo-FTP wouldn't do anything to un-block a blocked data channel port so I think it is a coincidence that it worked.  Maybe your server was configured with ony one possible port on the data channel and just coudnt handle two connections at the same time?  Who knows?!?


0
 
andrewprouseAuthor Commented:
Either way, it's working now, and I've learnt something in the process.  Thank you!!

I'll extend the port range (that wasn't a typo), good idea.

Thanks again.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

  • 4
  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now