RE: [FW1] MS FTP behind NAT

To: "'[email protected]'" <[email protected]>

Subject: RE: [FW1] MS FTP behind NAT

From: "METE EMINAGAOGLU (IT)" <[email protected]>

Date: Sat, 7 Jul 2001 13:23:02 +0300

Title: RE: [FW1] MS FTP behind NAT

I have run into the same problem, and here is the answer to it: (provided by Mr. Anthony Garcia, thanks to him...)

>>Have you tried having the FTP client do "Passive" data transfer, where the data transfer listen socket is opened on the FTP server side? The default Windows command-line

>>FTP client does not support passive mode, but you can find other 3rd-party FTP clients that do...

In other words, as you' ve also said, running an alternative FTP Client program with "Passive data transfer enabled" option completely solves the problem.

MS-DOS ftp client and also, (not sure, but it seems so...) MS Internet Explorer's ftp doesn't have this option, so the problem is due to the ftp client programs of Microsoft.

-----Original Message-----
From: Loesch, John [mailto:[email protected]]
Sent: 05 Temmuz 2001 Perþembe 19:37
To: 'Glenn Mabbutt'
Cc: '[email protected]'
Subject: RE: [FW1] MS FTP behind NAT

Try using one of the many shareware FTP clients as a test. We bumped into this issue before and it seems to only occur when we're using the MS FTP client. We've never been able to pin down what is wrong, but changing FTP clients seems to "fix" the problem...

-----Original Message-----
From: Glenn Mabbutt [mailto:[email protected]]
Sent: Wednesday, July 04, 2001 1:14 PM
To: '[email protected]'
Subject: RE: [FW1] MS FTP behind NAT

Sorry, I meant to say that the "FTP-PASV" option was in fact checked on both firewalls (recall 1 worked, 1 doesn't), as is the "FTP-PORT" option on both firewalls. There was some suggestions in previous postings that disabling those options made them work?? so I tried that on the firewall that doesn't work, but still no luck. Any other ideas??

Thanks,
Glenn

-----Original Message-----
From: Reed Mohn, Anders [mailto:[email protected]]
Sent: Friday, June 29, 2001 4:00 AM
To: 'Glenn Mabbutt'; '[email protected]'
Subject: RE: [FW1] MS FTP behind NAT

There are multiple suggestions on solving such problems
in the list archives. ( www.securepoint.com <http://www.securepoint.com> ).

Try enabling passive-mode FTP on the FW.
(Under Policy->Properties)

Cheers,
Anders :)

-----Original Message-----
From: Glenn Mabbutt [mailto:[email protected]]
Sent: 28. juni 2001 00:23
To: '[email protected]'
Subject: [FW1] MS FTP behind NAT

I'm having a rather irritating problem: someone behind one of our FW-1
firewalls has to use Microsoft's command-line FTP (from win98, win2k, and
winnt) as part of a batch script (I know it's junk, but the scripter won't
use anything else). I tried it behind a different FW-1, and it worked.
Here is the common configuration between the 2 firewalls:

- FW-1 4.1 on NT sp 6a
- hosts are being NATted, the test PC's are statically mapped to valid IP's
(doing it without the static NAT gives a host of errors)

- ftp is enabled in the rulebase for outbound connections

Here's what's different between the 2 firewalls (firewall A functions
properly, firewall B does not):

- firewall A is running FW-1 service pack 2, firewall B is running FW-1
service pack 3

- SYNDefender is set to "none" on firewall A and is set to "passive gateway"
on firewall B

- under "logs and alerts" in Policy > Properties, "log established TCP
connections" is checked on firewall A and is unchecked on firewall B.

Those are the only differences I can find. What happens when I try to
connect to an ftp server behind firewall B is that I can log in, but when I
try to do a directory listing or cd to a directory I get an error saying
"invalid port command" - no such error from behind firewall A.

Any suggestions??

thanks,
Glenn

================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================