sunhux
asked on
Network Address translation (NAT) / forwarding freeware on Win 2003 / XP
I have a passive ftp client product which connects to the same product's
ftp server : this works fine. However when SSL is enabled for this product,
there's an issue :
client(private addr) >> Fwall Nat--> Internet --> tcp 21 >> Fwall NAT --> server (private addr)
server responds back
Then SSL data transfer is supposed to start but it fails:
client -- > Internet over a range of fixed Tcp ports --> server
Reason is the client attempt to connect to the server's response session via the
server's public address.
Is there an address forwarding/translation software that can translate the server's
public addr to private addr? If only the client PC's local hosts table would work, tt wud
solve this issue , ie in client \windows\system32\drivers\
private_addr public_addr
Tweaking with firewalls at both client & server's ends did not so far so
someone suggested this NAT software (hopefully it's a freeware)
Building a permanet ssh VPN/tunnel between client & server should help
but the customer doesn't want this (for unknown reason). Btw if an ssh
permanent tunnel is built, can the server still be able to communicate with
other servers within its local subnet / domain. With some VPN (eg Cisco
VPN client, once connection is established, my laptop can't access any
other networks / Internet other than the destination VPN subnet permitted)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Check out the EE thread id 27298130 for details of the software & issues encountered
ASKER
http://geekswithblogs.net/Lance/archive/2005/08/23/50912.aspx
Refer to the link above, seems like the Ftp software that I have only support
option 1 in the Solution section & that did not work (possibly because the
software did not allow us to specify the public address
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I'm on Win2003. The remote end belongs to my customer &
it's also on Win2003 & the customer wanted to continue to
use this current Ftp server (but this time with SSL enabled).
I can't ask the customer to change to another ftp server.
The customer does not accept my proposal of me building
a permanent ssh tunnel / VPN even though what I need is
just a freewares like putty & a free ssh server. It will work
if I place the ftp server on a subnet that grants it a public IP
address (ie without undergoing any NAT) but it won't work
when this ftp server is behind a firewall with NAT'ing.
So isn't there some sort of freeware virtual adapter which
I can run on the ftp client to auto-translate the address so
as to implement something like what's suggested in Point 2
of the Solution section in the link I posted earlier, ie :
Some FTP clients (including IPWorks components) can be smart enough to try the ip
address specified by the server in the response to the PASV command, and it that
fails, fall back to the same ip address that the initial connection was made to
ASKER
I'll try another thread
ASKER
client ---- (connect to server's public IP @ tcp port 21) ------> firewal / NAT ---------> server (listening at its private IP @ tcp port 21)
Based on the logged information captured at the server, the following facts can be confirmed:
Client's socket connection reached server through firewall/NAT;
Server rejected client's connection sebsequently as SSL handshake was failed after the socket was connected;
Another client can connect to the same server locally (i.e. without going through firewall/NAT) and SSL handshake can complete successfully
The connection from the client to the server is a SSL socket with listening port at server is TCP port 21 at server's private IP address. We may need to verify:
Client was trying to connect to the correct public IP address at the server side, which is mapped to server's private IP address via NAT;
Firewall/NAT rules allow an SSL connection to go through and connect to server's private IP address;
Again note that although we are using port 21 at the server, the protocal is not FTP and it is also not HTTPS. It just need to be a TCP listening port for accepting incoming connections from outside NAT.