| Groups | Blog | Home |
iis ftp : PassivePortRange problems with external connections (IIS5+W2k.sp4)
Hi,
we having problems with passive port ranges on an IIS v5 server running under Windows 2000 Server (SP4) ... The system has two network cards (one for LAN and one for WAN access) and uses a firewall with an open port range for incoming FTP data connections (in passive mode). We added the registry entry "PassivePortRange" to limit the ports for passive connections to 8501-8600 and open this range in the firewall (and set up a port forward). This setting works well for all connections from LAN (passive ports will be bound in the limited range) but not for incoming connections from WAN (passive ports will be still in the range around 60000 and certainly no data will be transmitted). Why does the registry entry doesn't work for ALL incoming connections? Here are the dumps of manual FTP (1st from LAN and 2nd from WAN): 220 bob Microsoft FTP Service (Version 5.0). Benutzer (192.168.11.1:(none)): anonymous 331 Anonymous access allowed, send identity (e-mail name) as password. 230 Anonymous user logged in. ftp> quote "pasv" 227 Entering Passive Mode (192,168,11,1,33,141). 220 bob Microsoft FTP Service (Version 5.0). Benutzer (80.135.202.31:(none)): anonymous 331 Anonymous access allowed, send identity (e-mail name) as password. 230 Anonymous user logged in. ftp> quote "pasv" 227 Entering Passive Mode (80,135,202,31,240,234). Does anybody has an idea? We don't know what to do ... Thank you in advance ... -- cu o.pfeiffer ICQ# 84320006 eMail oliver.pfeiffer@gmx.net --------------------------------------------
[quoted text, click to view]
"Oliver Pfeiffer" <oliver.pfeiffer@gmx.net> wrote in message news:Xns95A1EDC11B49Boliverpfeiffergmxnet@pfeiffer.myfqdn.de... > This setting works well for all connections from LAN (passive ports will > be > bound in the limited range) but not for incoming connections from WAN > (passive ports will be still in the range around 60000 and certainly no > data will be transmitted). > > Why does the registry entry doesn't work for ALL incoming connections? > > Here are the dumps of manual FTP (1st from LAN and 2nd from WAN): > .... > ftp> quote "pasv" > 227 Entering Passive Mode (192,168,11,1,33,141). > .... > ftp> quote "pasv" > 227 Entering Passive Mode (80,135,202,31,240,234). The first "227" response comes from the FTP server unfiltered, and as you note, it satisfies your passive port settings. The second "227" response started at the FTP server, and was changed by your firewall. Your firewall is obviously not just a firewall, but is also a "NAT" router - Network Address Translation. That name, although common, doesn't describe the full function of the device, because a NAT must also translate ports - some people have even tried to get the term NAPT to be used as a result, to express that ports and addresses are translated. If you can run a Network Monitor capture on the side of the network inside the firewall, you should find that the ports are being correctly requested in the range you have asked for. Your router may be configurable to choose what range of ports to map PASV responses into. Alun. ~~~~
"Alun Jones [MSFT]" <alunj@online.microsoft.com> wrote in
news:edaZQ9yyEHA.2012@TK2MSFTNGP15.phx.gbl: [quoted text, click to view] >> Here are the dumps of manual FTP (1st from LAN and 2nd from WAN): >> > ... >> ftp> quote "pasv" >> 227 Entering Passive Mode (192,168,11,1,33,141). >> > ... >> ftp> quote "pasv" >> 227 Entering Passive Mode (80,135,202,31,240,234). > > The first "227" response comes from the FTP server unfiltered, and as > you note, it satisfies your passive port settings. > > The second "227" response started at the FTP server, and was changed by > your firewall. Your firewall is obviously not just a firewall, but is > also a "NAT" router - Network Address Translation. That name, although > common, doesn't describe the full function of the device, because a NAT > must also translate ports - some people have even tried to get the term > NAPT to be used as a result, to express that ports and addresses are > translated. You're right there is a NAT router (with port forwarding for incoming PASV port range) connected to bring the whole LAN into the internet ... But I'm sure that the NAT router doesn't change the FTP response showing in the 2nd answer. Certainly the router will dynamically map in/out TCP ports of all packets to match the 1:n relation for WAN access but if the router handle FTP access explicity the external connections should work fine but in real-life the data connections couldn't be established as mentioned before. [quoted text, click to view] > If you can run a Network Monitor capture on the side of the network > inside the firewall, you should find that the ports are being correctly > requested in the range you have asked for. Your router may be > configurable to choose what range of ports to map PASV responses into. I will check the port range by installing ethereal on the NAT router ... -- cu o.pfeiffer ICQ# 84320006 eMail oliver.pfeiffer@gmx.net --------------------------------------------
[quoted text, click to view]
"Oliver Pfeiffer" <oliver.pfeiffer@gmx.net> wrote in message news:Xns95A4ED149EF3Eoliverpfeiffergmxnet@pfeiffer.myfqdn.de... > BTW: is there any way to get the Win32 FTP console command using passive > mode instead of active one? No - the command line FTP client does not currently support passive mode. Alun. ~~~~
"Alun Jones [MSFT]" <alunj@online.microsoft.com> wrote in
news:edaZQ9yyEHA.2012@TK2MSFTNGP15.phx.gbl: [quoted text, click to view] > If you can run a Network Monitor capture on the side of the network > inside the firewall, you should find that the ports are being > correctly requested in the range you have asked for. Your router may > be configurable to choose what range of ports to map PASV responses > into. Yeah, I solved it (ethereal did a well job): the problem was related to the NAT router as you already wrote -> the default dest IP address for the NAT router was the server IP, so all FTP related connections reach the server but the NAT router needs an explicit rule for 20/21 (additional to the pasv port range) to handle the pasv mode correctly. Now I added a rule (and explicit forward) to the router (for 20/21) and everything works fine. PS: Many thanks for your great help. -- cu o.pfeiffer ICQ# 84320006 eMail oliver.pfeiffer@gmx.net --------------------------------------------
"Alun Jones [MSFT]" <alunj@online.microsoft.com> wrote in
news:edaZQ9yyEHA.2012@TK2MSFTNGP15.phx.gbl: [quoted text, click to view] > The second "227" response started at the FTP server, and was changed > by your firewall. Your firewall is obviously not just a firewall, but > is also a "NAT" router - Network Address Translation. That name, > although common, doesn't describe the full function of the device, > because a NAT must also translate ports - some people have even tried > to get the term NAPT to be used as a result, to express that ports and > addresses are translated. BTW: is there any way to get the Win32 FTP console command using passive mode instead of active one? -- cu o.pfeiffer ICQ# 84320006 eMail oliver.pfeiffer@gmx.net --------------------------------------------
Don't see what you're looking for? Try a search.
|
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
January 2008
February 2008
March 2008
April 2008
May 2008
June 2008
| home · blog · groups | Questions? Comments? Contact the dn |