Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW1] FTP Problem with double NAT

To: [email protected]
Subject: [FW1] FTP Problem with double NAT
From: [email protected]
Date: Tue, 3 Oct 2000 19:57:42 +0200
Sender: [email protected]



Hi everyone,

We're currently implementing a security configuration at one of our customers.
The design looks like this:

Router ---- Firewall-1 ---- DMZ ---- Linux Firewall ---- Internal network

The Linux Firewall hides the Internal Network behind a private address (his DMZ
interface address). Firewall-1 in his turn only accepts packets from the Linux
firewall to go outside. Hence, Firewall-1 performs static NAT on the private
address of the Linux Firewall. Now here's my problem: clients on the inside
network are unable to set up a valid FTP connection to the outside. In the
Firewall-1 log there are the following entry's:

source         dest      s_port          track          service        comment
..xxx.xxx     xxx.xxx.xxx.xxx      60104          allowed        ftp
xxx.xxx.xxx.xxx     xxx.xxx.xxx.xxx      60102          reject         ftp
reason: tried to open other port on host

When I try to establish a connection via the DOS-prompt, I can login to the
server, but when then try to do a dir or ls, the connection breaks. In my
opinion the following happens: Establishing the ftp control connection (port 21)
works fine: the Linux Firewall hides the address behind his address and opens a
port for the connection (e.g. 60104). From the moment I try to open the ftp data
connection (port 20), the linux firewall sees this as a new connection and
assigns another port to it (e.g. 60102). Am not sure about this. Does, in a
normal client-server ftp connection, the client use the same port for both the
control and the data connection? More specific, does the client once the control
connection is finished, open a data connection using the same port (e.g. 60104).
Am I missing some big thing here? Did anyone have the same problem? Any help
would be greatly appreciated.

Thanks in advance,

TiM De Boeck
System Engineer (CCSA, CCSE)
Econocom Services





================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: RE: [FW1] Exchange Services dropped by rule 0
Next by Date: RE: [FW1] Hardware??
Previous by thread: [FW1] Active Pages Help
Next by thread: [FW1] Install Security Policy - No Response from Server
Index(es):
- Date
- Thread