RE: [WS_FTP Forum] Double nat problems

[Seth Berger]

Actually it was easier than that, set your FTP server to look for port 10021 traffic, and set your FW to pass port 10021 traffic via NAT.   Here is the troublshooting text.    I solved the secure FTP problem, at least within the building here... Since you are trying to connect to an external server I'm not sure how much of this will apply to you, but it's something to try. The problem I was having is not the FTP software, it's the firewall. The rulebase is set up to allow FTP traffic (port 21) to the FTP server, as you would expect. Because is it port 21, the firewall is enforcing FTP traffic only on that port. However, because the port information in the header is encrypted, the firewall cannot verify that the data connection "belongs to" the control connection, and so immediately puts the ax to it. To solve the problem, I set up a generic protocol on port 10021 (any port besides 21 works though) and did not specify that it was FTP. When I set up my secure FTP client to connect to port 10021 using explicit encryption and passive mode, it immediately connected! PORT mode did not work, only passive. Furthermore, even if I specifically define the protocol as FTP in the firewall rules, it still works, as long as it's not port 21. My thoughts are that if you're trying to connect to this bank on port 21, their firewall may inherently be blocking it because it doesn't recognize it as FTP traffic. If you haven't tried it already, have them set up an object in their firewall that listens on port 10021 and does not specify a protocol. try connecting via FTPS and passive mode to that address - it may just work! >>> [EMAIL PROTECTED] 08/28/03 08:36PM >>> Hi Seth, Tracy and Peter,   If you don't mind sharing, we'd like to hear more about the double NAT configuration after you have completed or gotten far enough into your system testing.  Pete's suggestions to set the external IP address on  Pro 8 is the quick approach to try but if you end up using the double NIC, we'd like to hear the results of that approach too.   Depending on your findings, we may put together a Knowledge Base article or a case study so that we can share it with other customers using similar network topographies.   Thanks,   Kevin R. Gillis Product Manager, WS_FTP Pro and Server Ipswitch, Inc. k[EMAIL PROTECTED]    -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Seth Berger Sent: Monday, August 25, 2003 9:41 AM To: [EMAIL PROTECTED] Subject: RE: [WS_FTP Forum] Double nat problems Thank you >>> [EMAIL PROTECTED] 08/25/03 09:40AM >>> Yes, but you may not like it very much. 1.) If using WS_FTP Server 4.01 set the options in "Firewall" to use your external IP address.  Likely is that a PASV connection is attempted and the client is attempting to connect to your private address space, not your global address space.  If that does not work... then here's the only fix I know: 2.) Put two NIC's in your WS_FTP Server.  One NIC goes to your internal network.  The other NIC goes to your external network and has your public address on it.  Configure WS_FTP Server to use the external address, and set the port range from 1024-5000.  Set your default gateway on the external interface to be whatever your external gateway is (border router?).  DO NOT SET the default gateway on your internal NIC, instead use a persistent route statement for just your internal subnets. (E.G., if your internal address space is all in the 192.168.x.x range, you'd add (from and command prompt) ROUTE -p ADD 192.168.0.0 255.255.0.0 <gateway_ip address>.  Finally, implement Access Lists on your external router to throw away inbound traffic destined for the external interface of the FTP server.  You'll want to allow TCP & UDP ports 20,21 and the range from 1024-5000.  Throw everything else away. good luck. Pete -----Original Message----- From: Seth Berger [mailto:[EMAIL PROTECTED] Sent: Monday, August 25, 2003 8:31 AM To: [EMAIL PROTECTED] Subject: [WS_FTP Forum] Double nat problems I am running my ftp server internal, with an internal address of 192.168.x.x, and my external (internet) address 206.245.157.x.  I have a client that is trying to connect via the internet to my internal server, and they are running an internal address through a Checkpoint FW, and can't get data connection.  We are using SSL with a Verisign certificate.  I tried from my house over DSL, and through a linksys router from my NAt'd internal address, and it worked fine. Anyone have any suggestions? Client V8 Server v4.01 Thanks Seth Berger National Penn Bank Information Technology, Network Support (610)369-6623 http://www.realmed.com/legal/confidential.htm Please visit http://www.ipswitch.com/support/mailing-lists.html to be removed from this list. ................................................................... This message is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient you are hereby notified that any dissemination, distribution, or copying of this communication is strictly prohibited. r ................................................................... This message is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient you are hereby notified that any dissemination, distribution, or copying of this communication is strictly prohibited.