|
|
You're in the
iis ftp
group:FTP Login Issues
iis ftp:
I have setup FTP on a new 03 box. I have left the "Allow anonymous logins" as enabled. I'm able to connect to it while within the network. It does not prompt for a userID and password. It connects me right to the FTP root folder. On the firewall, I have allowed the FTP service rule for incoming traffic, and forwarded it to the IP address of the same machine. However, when I try to connect from the Internet, I get the Log On As window and "Either the server does not allow anonymous logins or the e-mail address was not accepted." error message. I click on the Log On Anonymously check box and it still doesn't let me thru. I put in a valid Domain Username/Password, I get a "Could not login to the FTP server with user name and password specified.". I take away the Anonymous Login policy on the FTP site, nothing doing. I try using the FTP IP_ADDR command. I get code "530 Access denied". What am I missing here people? Any help is appreciated!
[quoted text, click to view]
Tom Bombadill <Genius_poster@yahoo.com> wrote: > I have setup FTP on a new 03 box. I have left the "Allow anonymous > logins" as enabled. I'm able to connect to it while within the > network. It does not prompt for a userID and password. It connects me > right to the FTP root folder. > > On the firewall, I have allowed the FTP service rule for incoming > traffic, and forwarded it to the IP address of the same machine. What firewall are you referring to? FTP is not that easy, because of the separate connection for data transfers. Exactly what have you specified in the firewall? What allowance in the firewall have you made for passive-mode data connections? What configuration in the server have you made for passive-mode data connection port ranges? Is the firewall also doing NAT? Is the actual internal IP address of the FTP server the same as the one you use from the external internaet? Which port number is the FTP server listening on for control connections? [quoted text, click to view] > However, when I try to connect from the Internet, I get the Log On As > window and "Either the server does not allow anonymous logins or the > e-mail address was not accepted." error message. I click on the Log > On Anonymously check box and it still doesn't let me thru. I put in a > valid Domain Username/Password, I get a "Could not login to the FTP > server with user name and password specified.". I take away the > Anonymous Login policy on the FTP site, nothing doing. > I try using the FTP IP_ADDR command. I get code "530 Access denied". You appear to be using some third-party FTP client (which one?), which is concealing from you the actual FTP protocol exchanges. Please use a line-mode client or one which displays the FTP protocol exchanges, and post the actual FTP exchanges and error messages here. Can you be sure that you are actually connecting from the outside world to the correct internal FTP server rather than some other one? -- Robin Walker [MVP Networking] rdhw@cam.ac.uk
Hi Robin,
Thanks much for you're reply. [quoted text, click to view] >>What firewall are you referring to? It's the firewall device that separates our network from the Internet, as opposed to SW firewall on each machine. It's a Watchguard Firebox Edge 15. It's very decent. [quoted text, click to view] >>FTP is not that easy, because of the separate >>connection for data >>transfers. Exactly what have you >>specified in the firewall? I have only 'Allowed' the FTP rule for incoming traffic. And I have specified the IP address of the FTP Server for this rule. Nothing else. I believe that's pretty standard port forwarding procedure. I have done a similar thing before for VPN connections to an internal server, and it worked fine. [quoted text, click to view] >>What allowance in the firewall have you made for >>passive-mode data >>connections? None! Did not know any was required! Did not see any settings for Passive-mode data connections and I'm not familiar with that concept. [quoted text, click to view] >>What configuration in the server have you made for >>passive-mode data >>connection port ranges? Same as above! [quoted text, click to view] >>Is the firewall also doing NAT? Is the actual internal >>IP address of >>the FTP server the same as the one you >>use from the external internaet? Yes, the firewall does function as a NAT. So there's a range of private IP addresses used inside our network, and 1 public IP address used by the external interface of the Firewall/Router. The FTP server of course has a static private IP address. So when I want to access the FTP server from the Internet, I use the external IP address, and expect it to be forwarded to the FTP server specified on the Firewall. [quoted text, click to view] >>Which port number is the FTP server listening on for >>control >>connections? I tried specifying a port number after the IP address (:21). But when I submitted the change it automatically reverted back to the IP only. Please keep in mind that this is an existing rule. I only 'Allowed' it and specified the IP address. So I think it should be hitting the right port number. [quoted text, click to view] >>You appear to be using some third-party FTP client >>(which one?), which >>is concealing from you the actual >>FTP protocol exchanges. Please use a >>line-mode >>client or one which displays the FTP protocol >>exchanges, and >>post the actual FTP exchanges and >>error messages here. I'm using IE 6.0 as my client. What I do is I insert the external IP address of the firewall in the IE address bar as follows: eg ftp://157.16.218.12. I don't get any additional error messages beside the ones I have posted. If by line mode you mean using the FTP command from the command prompt, I enter the exact same line as above. At first, I get code 220 showing it has connected to the firewall. It then asks for my Username/Password. When entered, it displays code 530 Access denied. [quoted text, click to view] >>Can you be sure that you are actually connecting from >>the outside world >>to the correct internal FTP server >>rather than some other one? Considering the above, how do I verify that? I'm pretty sure that the IP address specified on the firewall is correct. I'm also pretty sure the FTP service works properly when connected from the inside. Thanks again for your help,
[quoted text, click to view]
Tom Bombadill <Genius_poster@yahoo.com> wrote: > Yes, the firewall does function as a NAT. So there's a range of > private IP addresses used inside our network, and 1 public IP address > used by the external interface of the Firewall/Router. The FTP server > of course has a static private IP address. So when I want to access > the FTP server from the Internet, I use the external IP address, and > expect it to be forwarded to the FTP server specified on the Firewall. Normally, running an FTP server behind a NAT router is a major headache, because: - there are two TCP connections, one for control on a known port, and one for data on an unpredicatble port number; - the control channel carries IP addresses, which NAT can invalidate. However, the Watchguard firewall seems to be an FTP-aware unit, that runs an FTP proxy to re-write some of the control commands, so you might not need to worry about some of these difficulties. [quoted text, click to view] > At first, I get code 220 showing it has connected to the > firewall. It then asks for my Username/Password. When entered, it > displays code 530 Access denied. I don't think that IIS-FTP ever says "530 Access denied", so I conclude that you have an issue with the Watchguard, which might need further configuration to permit your connections. -- Robin Walker [MVP Networking] rdhw@cam.ac.uk
do another simple test.
from remote machine, use ftp.exe to connect c:\>ftp.exe youriisftpserverip post the output here. -- Regards, Bernard Cheah http://www.iis.net/ http://www.iis-resources.com/ http://msmvps.com/blogs/bernard/ [quoted text, click to view] "Tom Bombadill" <Genius_poster@yahoo.com> wrote in message news:O36HC71fGHA.2188@TK2MSFTNGP05.phx.gbl... > Hi Robin, > > Thanks much for you're reply. > >>>What firewall are you referring to? > > It's the firewall device that separates our network from the Internet, as > opposed to SW firewall on each machine. It's a Watchguard Firebox Edge 15. > It's very decent. > >>>FTP is not that easy, because of the separate >>connection for data >>>transfers. Exactly what have you >>specified in the firewall? > > I have only 'Allowed' the FTP rule for incoming traffic. And I have > specified the IP address of the FTP Server for this rule. Nothing else. I > believe that's pretty standard port forwarding procedure. I have done a > similar thing before for VPN connections to an internal server, and it > worked fine. > >>>What allowance in the firewall have you made for >>passive-mode data >>>connections? > > None! Did not know any was required! Did not see any settings for > Passive-mode data connections and I'm not familiar with that concept. > >>>What configuration in the server have you made for >>passive-mode data >>>connection port ranges? > > Same as above! > >>>Is the firewall also doing NAT? Is the actual internal >>IP address of >>>the FTP server the same as the one you >>use from the external internaet? > > Yes, the firewall does function as a NAT. So there's a range of private IP > addresses used inside our network, and 1 public IP address used by the > external interface of the Firewall/Router. The FTP server of course has a > static private IP address. So when I want to access the FTP server from > the Internet, I use the external IP address, and expect it to be forwarded > to the FTP server specified on the Firewall. > >>>Which port number is the FTP server listening on for >>control >>>connections? > > I tried specifying a port number after the IP address (:21). But when I > submitted the change it automatically reverted back to the IP only. Please > keep in mind that this is an existing rule. I only 'Allowed' it and > specified the IP address. So I think it should be hitting the right port > number. > >>>You appear to be using some third-party FTP client >>(which one?), which >>>is concealing from you the actual >>FTP protocol exchanges. Please use a >>>line-mode >>client or one which displays the FTP protocol >>exchanges, >>>and post the actual FTP exchanges and >>error messages here. > > I'm using IE 6.0 as my client. What I do is I insert the external IP > address of the firewall in the IE address bar as follows: eg > ftp://157.16.218.12. I don't get any additional error messages beside the > ones I have posted. If by line mode you mean using the FTP command from > the command prompt, I enter the exact same line as above. At first, I get > code 220 showing it has connected to the firewall. It then asks for my > Username/Password. When entered, it displays code 530 Access denied. > >>>Can you be sure that you are actually connecting from >>the outside world >>>to the correct internal FTP server >>rather than some other one? > > Considering the above, how do I verify that? I'm pretty sure that the IP > address specified on the firewall is correct. I'm also pretty sure the FTP > service works properly when connected from the inside. > > Thanks again for your help, > > > > > >
Don't see what you're looking for? Try a search.
|
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
January 2008
February 2008
March 2008
April 2008
May 2008
June 2008
| home · blog · groups | Questions? Comments? Contact the dn |