Re: [FW1] MS FTP behind NAT

[aldo.calzolari@FW1-NOSPAMimpiricinteractive.fr]

Glenn,

we have the same need  and the very same problem here.

It's a router (the one NATing your PCs) issue.

Our problem appeared when I replaced our NAT router (a CISCO 1605) with a 2504 with a different configuration.

Since, depending on traffic going through the router, it may work or not. For example, in the morning it works perfectly but when people starts browsing, FTP connections fails. Note that it happens with all FTP clients, not only MS FTP but also with Cute FTP or WS FTP Pro.

Connecting a laptop directly behind the firewall (bypassing NAT) allows you to connect to a FTP site while on a computer behind the router, it fails.

I'm just starting checking the router configuration and associated error messages but I think I''ll probably go back to my previous router.


If I find something, I'll let you know.

See you soon,

Aldo Calzolari,
Impiric Interactive France

Glenn Mabbutt <gmabbutt@quartetservice.com> Sent by: owner-fw-1-mailinglist@lists.us.checkpoint.com 28/06/2001 00:23

To:        "'fw-1-mailinglist@lists.us.checkpoint.com'" <fw-1-mailinglist@beethoven.us.checkpoint.com>         cc:                 Subject:        [FW1] MS FTP behind NAT

I'm having a rather irritating problem:  someone behind one of our FW-1 firewalls has to use Microsoft's command-line FTP (from win98, win2k, and winnt) as part of a batch script (I know it's junk, but the scripter won't use anything else).  I tried it behind a different FW-1, and it worked.  Here is the common configuration between the 2 firewalls:

- FW-1 4.1 on NT sp 6a
- hosts are being NATted, the test PC's are statically mapped to valid IP's (doing it without the static NAT gives a host of errors)

- ftp is enabled in the rulebase for outbound connections

Here's what's different between the 2 firewalls (firewall A functions properly, firewall B does not):

- firewall A is running FW-1 service pack 2, firewall B is running FW-1 service pack 3

- SYNDefender is set to "none" on firewall A and is set to "passive gateway" on firewall B

- under "logs and alerts" in Policy > Properties, "log established TCP connections" is checked on firewall A and is unchecked on firewall B.

Those are the only differences I can find.  What happens when I try to connect to an ftp server behind firewall B is that I can log in, but when I try to do a directory listing or cd to a directory I get an error saying "invalid port command" - no such error from behind firewall A.

Any suggestions??

thanks,
Glenn