Solved

Network Address translation (NAT) / forwarding freeware on Win 2003 / XP

Posted on 2011-09-13
8
406 Views
Last Modified: 2012-06-27

I have a passive ftp client product which connects to the same product's
ftp server : this works fine.  However when SSL is enabled for this product,
there's an issue :

 client(private addr) >> Fwall Nat--> Internet  --> tcp 21 >> Fwall NAT --> server (private addr)

 server responds back

 Then SSL data transfer is supposed to start but it fails:
 client -- >    Internet over a range of fixed Tcp ports  --> server
         
Reason is the client attempt to connect to the server's response session via the
server's public address.

Is there an address forwarding/translation software that can translate the server's
public addr to private addr?  If only the client PC's local hosts table would work, tt wud
solve this issue , ie in client \windows\system32\drivers\etc\hosts,
   private_addr   public_addr


Tweaking with firewalls at both client & server's ends did not so far so
someone suggested this NAT software (hopefully it's a freeware)


Building a permanet ssh VPN/tunnel between client & server should help
but the customer doesn't want this (for unknown reason).  Btw if an ssh
permanent tunnel is built, can the server still be able to communicate with
other servers within its local subnet / domain.  With some VPN (eg Cisco
VPN client, once connection is established, my laptop can't access any
other networks / Internet other than the destination VPN subnet permitted)
0
Comment
Question by:sunhux
  • 5
  • 2
8 Comments
 
LVL 33

Accepted Solution

by:
MikeKane earned 167 total points
ID: 36529106
>>Reason is the client attempt to connect to the server's response session via the
server's public address.

How did he initiate the FTP session without a public IP?   Sounds to me like all you need is to flip the passtive mode on the FTP client.




>>With some VPN (eg Cisco
VPN client, once connection is established, my laptop can't access any
other networks / Internet other than the destination VPN subnet permitted)


This is because the VPN config locks the client into sending all traffic to the remote subnet.   'Split-Tunneling' is the term used to describe tunneling only the traffic for the remote site, all else is sent through the normal gateway.

0
 

Author Comment

by:sunhux
ID: 36529582


client ---- (connect to server's public IP @ tcp port 21) ------> firewal / NAT ---------> server (listening at its private IP @ tcp port 21)

 

Based on the logged information captured at the server, the following facts can be confirmed:

Client's socket connection reached server through firewall/NAT;
Server rejected client's connection sebsequently as SSL handshake was failed after the socket was connected;
Another client can connect to the same server locally (i.e. without going through firewall/NAT) and SSL handshake can complete successfully

The connection from the client to the server is a SSL socket with listening port at server is TCP port 21 at server's private IP address. We may need to verify:

Client was trying to connect to the correct public IP address at the server side, which is mapped to server's private IP address via NAT;
Firewall/NAT rules allow an SSL connection to go through and connect to server's private IP address;
Again note that although we are using port 21 at the server, the protocal is not FTP and it is also not HTTPS. It just need to be a TCP listening port for accepting incoming connections from outside NAT.
0
 
LVL 1

Assisted Solution

by:jimmernet
jimmernet earned 333 total points
ID: 36529941
What are you using for the FTP server? If it's IIS7 /7.5 then you need to specify the passive port range that the FTP client will use, as well as specifying the ftp servers external Natted IP.

See this walkthrough....

http://learn.iis.net/page.aspx/309/configuring-ftp-firewall-settings/

In normal ftp, firewalls are able to track ftp control sessions set up on port 21. Any requests for data transfers on another port, will be monitored and the filrewall will open that port. With SSL this control channel is encryped, so firewalls cannot see this. So with IIS 7 you configure what port range you're  going to use and map this range on the firewall for the external IP that the FTP server is natted through.

Cheers
0
 

Author Comment

by:sunhux
ID: 36530986

Check out the EE thread id 27298130 for details of the software & issues encountered
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:sunhux
ID: 36533820

http://geekswithblogs.net/Lance/archive/2005/08/23/50912.aspx
Refer to  the link above, seems like the Ftp software that I have only support
option 1 in the Solution section & that did not work (possibly because the
software did not allow us to specify the public address
0
 
LVL 1

Assisted Solution

by:jimmernet
jimmernet earned 333 total points
ID: 36535060
There you go... More eloquent than my response, but we're all swimming the same way... You'll have to try another ftp server, like I say, if you have win 2008, then you can download IIS ftp service ver 7.5 from http://www.iis.net/download/ftp for gratis. This works too... (if you're using win server 2008 R2, then it's in there already).

Does this answer things to your satisfaction?
0
 

Author Comment

by:sunhux
ID: 36535801

I'm on Win2003.  The remote end belongs to my customer &
it's also on Win2003 & the customer wanted to continue to
use this current Ftp server (but this time with SSL enabled).

I can't ask the customer to change to another ftp server.  
The customer does not accept my proposal of me building
a permanent ssh tunnel / VPN even though what I need is
just a freewares like putty & a free ssh server.  It will work
if I place the ftp server on a subnet that grants it a public IP
address (ie without undergoing any NAT) but it won't work
when this ftp server is behind a firewall with NAT'ing.

So isn't there some sort of freeware virtual adapter which
I can run on the ftp client to auto-translate the address so
as to implement something like what's suggested in Point 2
of the Solution section in the link I posted earlier, ie :

Some FTP clients (including IPWorks components) can be smart enough to try the ip
 address specified by the server in the response to the PASV command, and it that
fails, fall back to the same ip address that the initial connection was made to
0
 

Author Closing Comment

by:sunhux
ID: 36560772
I'll try another thread
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Citrix XenApp, Internet Explorer 11 set to Enterprise Mode and using central hosted sites.xml file.
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now