| Groups | Blog | Home |
iis ftp : Changing the way IIS answers to PASV commands?
Running a Win2k (SP4) IIS 4 FTP server behind a Linksys router (or trying to).
LAN IP address of server is 192.168.1.5 LAN IP of router is 192.168.1.1 LAN IP of my PC is 192.168.1.2 First of all, I thank you for your time and effort. Now, I set up IIS and have gotten it to the stage where I can connect to it through my LAN, but not the WAN (Internet). There are two issues I'd like to address: Primarily, when I connect through the WAN (from 192.168.1.2 to 192.168.1.5:21), send the PASV command, it replied with "227 Entering Passive Mode (192,168,1,5,4,90)." Perfect, I can do that. It works. HOWEVER, when I connect through the WAN, (from 68.35.78.247 to 68.35.78.247:21), send the PASV command, it replies with "227 Entering Passive Mode (192,168,1,5,4,91)." But wait, I can't connect to that! It's giving me a local IP address when I need a WAN IP address. So, how do I tell IIS it's WAN IP address so people on the internet can connect,? Secondly, port 1024-4000~ are used for other things on my network, and I don't really want them to be FTP data ports. I found documentation that says you can add a registry key to the tcpip service with regedit. I did, but for one, it didn't have an effect on the PASV replies, and two, that's just the tcpip port range. Microsoft documentation also says the security risk of listing PASV ports sequentially has been fixed with SP4, but it wasn't; they still seem pretty darn sequential to me. Lil' help? And IIS 6 I tried a while ago and had the same problems (my PC is WinXP, but I don't have another legal copy of it so I have to use Win2k on
Thank you for your response. I made a mistake before. For one, I'm running
IIS 5, not 4. That was a typo. Second, I managed to fix the passive port range stuff. Like an idiot, after modifying the registry I went to try it and complained it didn't work. Forgot I had to reboot :) Woops. Well, that works now. However, there is still the issue of the IP address. What you said doesn't really help me at all but sounds like it's hopeless? I just need to tell IIS my external IP address. I mean, just about every network program has that field. And it's not like no one runs IIS behind a router. NAT, on my router, I beleive is set up just fine. It'd get thoroughly confusing and require an additional computer to give my FTP server an IP address the same as my internet IP. I've found no registry values I can add to modify this. I've found none I can modify. The only relevant thing is in the IIS plugin for MMC, going into properties of the FTP site, under the name of the FTP server there's the-ever-so-vague field of "IP Address". I was thinking this was what I was looking for. However, it's a drop-down and the only listed IP addresses are the IP addresses specified in Network Properties of my computer (in control panel). I can add my internet IP address as a secondary IP harmlessly enough, and then select it from the list. However, doing that, the FTP service no longer seems to run when any computer but itself connects to it. It goes through, but when telnetting to it, it just says "Press any key to continue..." then kicks me off. I'd think that field is for IP addresses the FTP service will only work for, but then why the list of IP addresses only configured in Network Properties?? I am thoroughly confused with this field, if it's even what I want, or how I use it. And the help file is worth shiznit! [quoted text, click to view] "Bernard" wrote:
> The local IP address you see is by design. > Some thing to do with NAT, and it's related to invalid port command error > msgs. > > about the passive port range. if you configured correctly it will work. > double check again. > How To Configure PassivePortRange In IIS > http://support.microsoft.com/?id=555022 > > > -- > Regards, > Bernard Cheah > http://www.tryiis.com/ > http://support.microsoft.com/ > http://www.msmvps.com/bernard/ > > > > "Selroth" <Selroth@discussions.microsoft.com> wrote in message > news:9FE90F62-EC75-4A93-AB9A-8E7328C53795@microsoft.com... > > Running a Win2k (SP4) IIS 4 FTP server behind a Linksys router (or trying > to). > > LAN IP address of server is 192.168.1.5 > > LAN IP of router is 192.168.1.1 > > LAN IP of my PC is 192.168.1.2 > > > > First of all, I thank you for your time and effort. > > > > Now, I set up IIS and have gotten it to the stage where I can connect to > it > > through my LAN, but not the WAN (Internet). There are two issues I'd like > to > > address: > > > > Primarily, when I connect through the WAN (from 192.168.1.2 to > > 192.168.1.5:21), send the PASV command, it replied with "227 Entering > Passive > > Mode (192,168,1,5,4,90)." Perfect, I can do that. It works. > > HOWEVER, when I connect through the WAN, (from 68.35.78.247 to > > 68.35.78.247:21), send the PASV command, it replies with "227 Entering > > Passive Mode (192,168,1,5,4,91)." But wait, I can't connect to that! > It's > > giving me a local IP address when I need a WAN IP address. So, how do I > tell > > IIS it's WAN IP address so people on the internet can connect,? > > > > Secondly, port 1024-4000~ are used for other things on my network, and I > > don't really want them to be FTP data ports. I found documentation that > says > > you can add a registry key to the tcpip service with regedit. I did, but > for > > one, it didn't have an effect on the PASV replies, and two, that's just > the > > tcpip port range. Microsoft documentation also says the security risk of > > listing PASV ports sequentially has been fixed with SP4, but it wasn't; > they > > still seem pretty darn sequential to me. > > > > Lil' help? And IIS 6 I tried a while ago and had the same problems (my PC > > is WinXP, but I don't have another legal copy of it so I have to use Win2k > on > > my FTP server). Again, thank you. I eagerly await replies. > >
The local IP address you see is by design.
Some thing to do with NAT, and it's related to invalid port command error msgs. about the passive port range. if you configured correctly it will work. double check again. How To Configure PassivePortRange In IIS http://support.microsoft.com/?id=555022 -- Regards, Bernard Cheah http://www.tryiis.com/ http://support.microsoft.com/ http://www.msmvps.com/bernard/ [quoted text, click to view] "Selroth" <Selroth@discussions.microsoft.com> wrote in message news:9FE90F62-EC75-4A93-AB9A-8E7328C53795@microsoft.com... > Running a Win2k (SP4) IIS 4 FTP server behind a Linksys router (or trying to). > LAN IP address of server is 192.168.1.5 > LAN IP of router is 192.168.1.1 > LAN IP of my PC is 192.168.1.2 > > First of all, I thank you for your time and effort. > > Now, I set up IIS and have gotten it to the stage where I can connect to it > through my LAN, but not the WAN (Internet). There are two issues I'd like to > address: > > Primarily, when I connect through the WAN (from 192.168.1.2 to > 192.168.1.5:21), send the PASV command, it replied with "227 Entering Passive > Mode (192,168,1,5,4,90)." Perfect, I can do that. It works. > HOWEVER, when I connect through the WAN, (from 68.35.78.247 to > 68.35.78.247:21), send the PASV command, it replies with "227 Entering > Passive Mode (192,168,1,5,4,91)." But wait, I can't connect to that! It's > giving me a local IP address when I need a WAN IP address. So, how do I tell > IIS it's WAN IP address so people on the internet can connect,? > > Secondly, port 1024-4000~ are used for other things on my network, and I > don't really want them to be FTP data ports. I found documentation that says > you can add a registry key to the tcpip service with regedit. I did, but for > one, it didn't have an effect on the PASV replies, and two, that's just the > tcpip port range. Microsoft documentation also says the security risk of > listing PASV ports sequentially has been fixed with SP4, but it wasn't; they > still seem pretty darn sequential to me. > > Lil' help? And IIS 6 I tried a while ago and had the same problems (my PC > is WinXP, but I don't have another legal copy of it so I have to use Win2k on > my FTP server). Again, thank you. I eagerly await replies.
Regarding the IP issue, it's not an IIS FTP issue.
This is how NAT works, translating address and port from external request to internal ip and port. you can put it as a NAT bug or etc. Those detail are necessary for NAT to correctly map between internal and external ports. as for you last question, the IP address list field in IIS MMC. what you see in the list box is ip addresses configured to the box. since you external IP is doesn't belong here, how can IIS FTP bind to that address and route it correctly ? -- Regards, Bernard Cheah http://www.tryiis.com/ http://support.microsoft.com/ http://www.msmvps.com/bernard/ [quoted text, click to view] "Selroth" <Selroth@discussions.microsoft.com> wrote in message news:68004B66-4AA6-4067-92B0-BB83FE48EFD6@microsoft.com... > Thank you for your response. I made a mistake before. For one, I'm running > IIS 5, not 4. That was a typo. Second, I managed to fix the passive port > range stuff. Like an idiot, after modifying the registry I went to try it > and complained it didn't work. Forgot I had to reboot :) Woops. Well, that > works now. > > However, there is still the issue of the IP address. What you said doesn't > really help me at all but sounds like it's hopeless? I just need to tell IIS > my external IP address. I mean, just about every network program has that > field. And it's not like no one runs IIS behind a router. NAT, on my > router, I beleive is set up just fine. It'd get thoroughly confusing and > require an additional computer to give my FTP server an IP address the same > as my internet IP. > > I've found no registry values I can add to modify this. I've found none I > can modify. The only relevant thing is in the IIS plugin for MMC, going into > properties of the FTP site, under the name of the FTP server there's > the-ever-so-vague field of "IP Address". I was thinking this was what I was > looking for. However, it's a drop-down and the only listed IP addresses are > the IP addresses specified in Network Properties of my computer (in control > panel). I can add my internet IP address as a secondary IP harmlessly > enough, and then select it from the list. However, doing that, the FTP > service no longer seems to run when any computer but itself connects to it. > It goes through, but when telnetting to it, it just says "Press any key to > continue..." then kicks me off. > > I'd think that field is for IP addresses the FTP service will only work for, > but then why the list of IP addresses only configured in Network Properties?? > I am thoroughly confused with this field, if it's even what I want, or how I > use it. And the help file is worth shiznit! > > "Bernard" wrote: > > > The local IP address you see is by design. > > Some thing to do with NAT, and it's related to invalid port command error > > msgs. > > > > about the passive port range. if you configured correctly it will work. > > double check again. > > How To Configure PassivePortRange In IIS > > http://support.microsoft.com/?id=555022 > > > > > > -- > > Regards, > > Bernard Cheah > > http://www.tryiis.com/ > > http://support.microsoft.com/ > > http://www.msmvps.com/bernard/ > > > > > > > > "Selroth" <Selroth@discussions.microsoft.com> wrote in message > > news:9FE90F62-EC75-4A93-AB9A-8E7328C53795@microsoft.com... > > > Running a Win2k (SP4) IIS 4 FTP server behind a Linksys router (or trying > > to). > > > LAN IP address of server is 192.168.1.5 > > > LAN IP of router is 192.168.1.1 > > > LAN IP of my PC is 192.168.1.2 > > > > > > First of all, I thank you for your time and effort. > > > > > > Now, I set up IIS and have gotten it to the stage where I can connect to > > it > > > through my LAN, but not the WAN (Internet). There are two issues I'd like > > to > > > address: > > > > > > Primarily, when I connect through the WAN (from 192.168.1.2 to > > > 192.168.1.5:21), send the PASV command, it replied with "227 Entering > > Passive > > > Mode (192,168,1,5,4,90)." Perfect, I can do that. It works. > > > HOWEVER, when I connect through the WAN, (from 68.35.78.247 to > > > 68.35.78.247:21), send the PASV command, it replies with "227 Entering > > > Passive Mode (192,168,1,5,4,91)." But wait, I can't connect to that! > > It's > > > giving me a local IP address when I need a WAN IP address. So, how do I > > tell > > > IIS it's WAN IP address so people on the internet can connect,? > > > > > > Secondly, port 1024-4000~ are used for other things on my network, and I > > > don't really want them to be FTP data ports. I found documentation that > > says > > > you can add a registry key to the tcpip service with regedit. I did, but > > for > > > one, it didn't have an effect on the PASV replies, and two, that's just > > the > > > tcpip port range. Microsoft documentation also says the security risk of > > > listing PASV ports sequentially has been fixed with SP4, but it wasn't; > > they > > > still seem pretty darn sequential to me. > > > > > > Lil' help? And IIS 6 I tried a while ago and had the same problems (my PC > > > is WinXP, but I don't have another legal copy of it so I have to use Win2k > > on > > > my FTP server). Again, thank you. I eagerly await replies. > > > > > >
Again, I wish to thank you for your time, Bernard. It is most appreciated
and you are helping me understand things further. However, my questions still pretty much remain. I appologize, but maybe I have been misunderstood. The critical thing I need is for IIS to reply to PASV commands with an IP address the client can connect to. IN the IIS snap-in, if I leave the "IP Address" drop-down box to "<all unassigned> I get these results: Working in front of the server with telnet: --> o localhost 21 220 BLITZ Microsoft FTP Service (Version 5.0). --> USER Selroth 331 Password required for Selroth. --> PASS ****** 230 User Selroth logged in. --> PASV 227 Entering Passive Mode (127,0,0,1,195,82). -->QUIT --> o 192.168.1.5 21 220 BLITZ Microsoft FTP Service (Version 5.0). --> USER Selroth 331 Password required for Selroth. --> PASS ****** 230 User Selroth logged in. --> PASV 227 Entering Passive Mode (192,168,1,5,195,83). --> QUIT --> o 68.35.78.247 21 220 BLITZ Microsoft FTP Service (Version 5.0). --> USER Selroth 331 Password required for Selroth. --> PASS ****** 230 User Selroth logged in. --> PASV 227 Entering Passive Mode (192,168,1,5,195,84). --> QUIT I get the same results (excluding the first, localhost) when connecting from my PC 192.168.1.2. Asking friends to connect with telnet, they get the same as well. This is how my simple home network is set up: Internet | |}68.35.78.247 | Modem | |}68.35.78.247 | Linksys Router w/ 4-port switch (192.168.1.1) | | | | | | | | | | | |}192.168.1.5 | | | Server | | | | | |}192.168.1.4 | | Laptop | | | |}192.168.1.3 | Secondary PC | |}192.168.1.2 Primary PC Now, NAT is Network Address Translation, correct? The router's job is to perform that. It interfaces with 68.35.78.247 on one end, and breaks it up to 192.168.1.* on the other (I have a mask of 255.255.255.0). It is not running DHCP, all the computers are assigned an IP address manually. Where is the problem in this NAT setup? Where is this bug? My server should indeed only see 192.168.1.5, unless something tells it to use the external IP address of 68.35.78.247. Does the software not allow me to have my server behind a router, but rather a raw and direct connection to the Internet (or at least, modem)? If there is a way for the server to gain the external IP address, I would like to know it. I'm not afraid to play with the registry or metafile if that's what it takes. However, it seems to me that what I'm trying to do here is a common thing, I just have a blind spot or such. Thanks for your understanding. I'd like to reward you somehow if I could,
Don't see what you're looking for? Try a search.
|
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
January 2008
February 2008
March 2008
April 2008
May 2008
June 2008
| home · blog · groups | Questions? Comments? Contact the dn |