Solved

Network Address translation (NAT) / forwarding freeware on Win 2003 / XP

Posted on 2011-09-13
8
416 Views
Last Modified: 2012-06-27

I have a passive ftp client product which connects to the same product's
ftp server : this works fine.  However when SSL is enabled for this product,
there's an issue :

 client(private addr) >> Fwall Nat--> Internet  --> tcp 21 >> Fwall NAT --> server (private addr)

 server responds back

 Then SSL data transfer is supposed to start but it fails:
 client -- >    Internet over a range of fixed Tcp ports  --> server
         
Reason is the client attempt to connect to the server's response session via the
server's public address.

Is there an address forwarding/translation software that can translate the server's
public addr to private addr?  If only the client PC's local hosts table would work, tt wud
solve this issue , ie in client \windows\system32\drivers\etc\hosts,
   private_addr   public_addr


Tweaking with firewalls at both client & server's ends did not so far so
someone suggested this NAT software (hopefully it's a freeware)


Building a permanet ssh VPN/tunnel between client & server should help
but the customer doesn't want this (for unknown reason).  Btw if an ssh
permanent tunnel is built, can the server still be able to communicate with
other servers within its local subnet / domain.  With some VPN (eg Cisco
VPN client, once connection is established, my laptop can't access any
other networks / Internet other than the destination VPN subnet permitted)
0
Comment
Question by:sunhux
  • 5
  • 2
8 Comments
 
LVL 33

Accepted Solution

by:
MikeKane earned 167 total points
ID: 36529106
>>Reason is the client attempt to connect to the server's response session via the
server's public address.

How did he initiate the FTP session without a public IP?   Sounds to me like all you need is to flip the passtive mode on the FTP client.




>>With some VPN (eg Cisco
VPN client, once connection is established, my laptop can't access any
other networks / Internet other than the destination VPN subnet permitted)


This is because the VPN config locks the client into sending all traffic to the remote subnet.   'Split-Tunneling' is the term used to describe tunneling only the traffic for the remote site, all else is sent through the normal gateway.

0
 

Author Comment

by:sunhux
ID: 36529582


client ---- (connect to server's public IP @ tcp port 21) ------> firewal / NAT ---------> server (listening at its private IP @ tcp port 21)

 

Based on the logged information captured at the server, the following facts can be confirmed:

Client's socket connection reached server through firewall/NAT;
Server rejected client's connection sebsequently as SSL handshake was failed after the socket was connected;
Another client can connect to the same server locally (i.e. without going through firewall/NAT) and SSL handshake can complete successfully

The connection from the client to the server is a SSL socket with listening port at server is TCP port 21 at server's private IP address. We may need to verify:

Client was trying to connect to the correct public IP address at the server side, which is mapped to server's private IP address via NAT;
Firewall/NAT rules allow an SSL connection to go through and connect to server's private IP address;
Again note that although we are using port 21 at the server, the protocal is not FTP and it is also not HTTPS. It just need to be a TCP listening port for accepting incoming connections from outside NAT.
0
 
LVL 1

Assisted Solution

by:jimmernet
jimmernet earned 333 total points
ID: 36529941
What are you using for the FTP server? If it's IIS7 /7.5 then you need to specify the passive port range that the FTP client will use, as well as specifying the ftp servers external Natted IP.

See this walkthrough....

http://learn.iis.net/page.aspx/309/configuring-ftp-firewall-settings/

In normal ftp, firewalls are able to track ftp control sessions set up on port 21. Any requests for data transfers on another port, will be monitored and the filrewall will open that port. With SSL this control channel is encryped, so firewalls cannot see this. So with IIS 7 you configure what port range you're  going to use and map this range on the firewall for the external IP that the FTP server is natted through.

Cheers
0
Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

 

Author Comment

by:sunhux
ID: 36530986

Check out the EE thread id 27298130 for details of the software & issues encountered
0
 

Author Comment

by:sunhux
ID: 36533820

http://geekswithblogs.net/Lance/archive/2005/08/23/50912.aspx
Refer to  the link above, seems like the Ftp software that I have only support
option 1 in the Solution section & that did not work (possibly because the
software did not allow us to specify the public address
0
 
LVL 1

Assisted Solution

by:jimmernet
jimmernet earned 333 total points
ID: 36535060
There you go... More eloquent than my response, but we're all swimming the same way... You'll have to try another ftp server, like I say, if you have win 2008, then you can download IIS ftp service ver 7.5 from http://www.iis.net/download/ftp for gratis. This works too... (if you're using win server 2008 R2, then it's in there already).

Does this answer things to your satisfaction?
0
 

Author Comment

by:sunhux
ID: 36535801

I'm on Win2003.  The remote end belongs to my customer &
it's also on Win2003 & the customer wanted to continue to
use this current Ftp server (but this time with SSL enabled).

I can't ask the customer to change to another ftp server.  
The customer does not accept my proposal of me building
a permanent ssh tunnel / VPN even though what I need is
just a freewares like putty & a free ssh server.  It will work
if I place the ftp server on a subnet that grants it a public IP
address (ie without undergoing any NAT) but it won't work
when this ftp server is behind a firewall with NAT'ing.

So isn't there some sort of freeware virtual adapter which
I can run on the ftp client to auto-translate the address so
as to implement something like what's suggested in Point 2
of the Solution section in the link I posted earlier, ie :

Some FTP clients (including IPWorks components) can be smart enough to try the ip
 address specified by the server in the response to the PASV command, and it that
fails, fall back to the same ip address that the initial connection was made to
0
 

Author Closing Comment

by:sunhux
ID: 36560772
I'll try another thread
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The password reset disk is often mentioned as the best solution to deal with the lost Windows password problem. In Windows 2008, 7, Vista and XP, a password reset disk can be easily created. But besides Windows 7/Vista/XP, Windows Server 2008 and ot…
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

837 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question