My new firewall is a Check Point [EMAIL PROTECTED] My old firewall was a Watchguard SOHO. I'm 100% certain it is a firewall issue, as my test FTP server works just fine from behind my old firewall, where the passive connections seems to fail through the new firewall.
One thing I noticed - the passive connections that are failing, seem to making the connections okay, but the connection seems to hang when the "LIST" command is being executed. I don't know much about FTP commands, but I'm guessing LIST is what tells the server to give a list of what's in the directory. I don't know if this means anything, but hopefully someone might find this info useful or have another idea for me to try. Thanks, Scott Smith Network Administrator ---------- Westside & Detroit Reprographics An ARC Company 248.489.1999 office [EMAIL PROTECTED] ---------- ---------- Original Message ---------------------------------- From: "Randy Baker" <[EMAIL PROTECTED]> Reply-To: [email protected] Date: Sat, 14 May 2005 06:58:23 -0400 We have run into this problem with Passive mode FTP in the past, but we are in the process in moving to a Cisco PIX firewall. In a previous post, I had identified ports 2000 and up, it should have been 1024 and up. The following Cisco document seems to support this. This document supports opening ports from 1024 to 65535 by creating an access list. http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v50/relnotes/pixrn503.htm As for the fixup command on the Cisco PIX, I don't think that is the solution. The following documentation can be summarized as follows: http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a008017278b.html The fixup command addresses issues with NAT and PAT Address Translations. To greatly simplify things, an packet generated from a server in the Private network space is translated at the NAT server to the external Public Address so that the remote end can get back to the NATed server. The problem is, it is only the IP Header that is modified by NAT. NAT does not modify the Private IP Addresses in the payload from a higher layer in the OSI model. The fixup command ensures that all Private addresses get translated in the packet. Also note that the strict parameter to the fixup command often breaks FTP clients that are not RFC compliant. Some firewalls do not have a functional equivalent of the fixup command, that this will break things such as Oracle Client, as Oracle also embeds the IP Address of the system iin the payload. Hope this helps. Randy Randy Baker, Systems Administrator, Information Technology Georgian College of Applied Arts & Technology 1 Georgian Drive, Barrie, ON, L4M 3X9 (705) 728-1968 Extension 1183 "The difference between Genius and Stupidity, is that Genius has its limits." Albert Einstein >>> [EMAIL PROTECTED] 05/13 6:15 pm >>> If the server is set for passive connections, the server responds to the client (in this case IE) connection with a port to connect back for the data connection. Your new firewall probably has these high ports blocked by default. You need to determine what range of ports is defined on the WS-FTP Server for this purpose and open them on the firewall. I don't remember what the default range is, but it can be changed to whatever you are comfortable with. Keith Keith A. Pass AVP, Network Security, Database Supervisor AMCORE Financial, Inc. 501 7th St Rockford, Il 61110 Telephone: 815.961.3809 Fax: 877.430.3019 Email: [EMAIL PROTECTED] --------------------------------------------------------------------------------------------- This information may be confidential and/or privileged. Use of this information by anyone Other than the intended recipient is prohibited. If you received this message in error Please inform the sender and remove any record of this message. --------------------------------------------------------------------------------------------- -gwavasig- >>> [EMAIL PROTECTED] 05/13/05 4:58 PM >>> I would definitely look at the firewall. If it's a PIX you can probably issue the "[no]fixup protocol ftp" command. I have seen similar things with a Netscreen firewall, where I allowed in all the built-in protocols: FTP, FTP-PUT, FTP-GET... And it did not work. Once I allowed only the default FTP it worked fine. I'm guessing it was working fine until you installed a new firewall. Hope that helps. Dan __o _-\<, (_)/(_)____ -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Smith Sent: Wednesday, May 11, 2005 10:58 AM To: [email protected] Subject: Re: [WS_FTP Forum] Passive FTP and firewall and Internet explorer We're using WS_FTP Server 5.0. I'm not talking about WS_FTP Pro at all, to the best of my knowledge the customers in question are all using Internet Explorer 6 to access the FTP site. Scott Smith Network Administrator 248.489.1999 [EMAIL PROTECTED] Westside & Detroit Reprographics An ARC Company ------------------------------------------------- ----- Original Message ----- From: "Grimard, Ronald L" <[EMAIL PROTECTED]> To: <[email protected]> Sent: Wednesday, May 11, 2005 1:47 PM Subject: RE: [WS_FTP Forum] Passive FTP and firewall and Internet explorer Scott....what version of ws-ftp pro are you using?...and what version of ws-ftp-server are you running? By default passive mode is turned on in ws-ftp pro, Ron -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Smith Sent: Wednesday, May 11, 2005 1:14 PM To: WSFTP Forum Subject: [WS_FTP Forum] Passive FTP and firewall and Internet explorer I've been having an issue with many customers who can't access our FTP site. I believe every one of them is using IE to browse to the FTP site. I tried connecting myself from outside our network, and I couldn't even get in. That is, until i disabled the passive ftp option in the Internet Options in Windows. As soon as that passive ftp option was disabled, I was able to get right into the FTP site. I believe that my customers are probably having the same problem. The only thing that changed recently was we have a new firewall in place. I'm already asking the firewall manufacturer if there are any issues with passive ftp, but I want to ask the forum if any of you have any input on this? Thanks, Scott Smith Network Administrator 248.489.1999 [EMAIL PROTECTED] Westside & Detroit Reprographics An ARC Company ------------------------------------------------- Please visit http://www.ipswitch.com/support/mailing-lists.html to be removed from this list. An Archive of this list is available at: http://www.mail-archive.com/wsftp_forum%40list.ipswitch.com/ Please visit http://www.ipswitch.com/support/mailing-lists.html to be removed from this list. An Archive of this list is available at: http://www.mail-archive.com/wsftp_forum%40list.ipswitch.com/ Please visit http://www.ipswitch.com/support/mailing-lists.html to be removed from this list. An Archive of this list is available at: http://www.mail-archive.com/wsftp_forum%40list.ipswitch.com/ <p><hr> <font size="1" face="Geneva, Arial, Helvetica, san-serif">CONFIDENTIAL COMMUNICATION: E-mails from JustWorks may contain confidential material for the sole use of the intended recipient. If you received this e-mail in error, please delete the e-mail and all attachments. Thank you.</font><font size="2" face="Geneva, Arial, Helvetica, san-serif"> <font color="#0000FF"><strong>JustWorks</strong></font> - we make I.T. Simple. <font size="1">(866) JUSTWORKS</font></font> <hr></p> Please visit http://www.ipswitch.com/support/mailing-lists.html to be removed from this list. An Archive of this list is available at: http://www.mail-archive.com/wsftp_forum%40list.ipswitch.com/ Please visit http://www.ipswitch.com/support/mailing-lists.html to be removed from this list. An Archive of this list is available at: http://www.mail-archive.com/wsftp_forum%40list.ipswitch.com/ Please visit http://www.ipswitch.com/support/mailing-lists.html to be removed from this list. An Archive of this list is available at: http://www.mail-archive.com/wsftp_forum%40list.ipswitch.com/ ______________ ______________ ______________ ______________ Sent via the KillerWebMail system at wsrepro.com Please visit http://www.ipswitch.com/support/mailing-lists.html to be removed from this list. An Archive of this list is available at: http://www.mail-archive.com/wsftp_forum%40list.ipswitch.com/
