Can't FTP out 1

[vich]

I am not sure if this is too complicated or not but here is my problem. Any ideas would be appreciated.

I have a recently installed server running Windows Server 2003 with 2 nics. When initially installed the company which installed also installed a netgear prosafe vpn firewall. It kept crashing when usually when we were emailing. They removed the firewall and connected the dsl modem to the second nic. At some point after that not sure when, one of our applications stop transmitting data. The application vendor had us test using ftp which fails with and opening folder error. The interesting part is that it only fails when using a pc on the network. If I try on the server it will connect to other sites. I do know that the IT company helping has configured the server to route the IP's to allow us to remote desktop in. They have been fiddling with it allday and seem stumped.
Does anyone have any suggestions or is this too complicated?
Any help will be greatly appreciated.

 

[FloDiggs]

Is this a Small Business Server with ISA?

 

[vich]

It is not SBS. We are running Windows Server 2003 R2. I don't think ISA is running how can I confirm?

Thanks for responding

 

[pgaliardo]

Is it configured that 1 nic on the server has an internal ip address (192.168.0.1 for example) and the second nic has a public IP Address? This sounds like a routing problem, since the machine that is directly connected to the Internet can FTP.

If you look in Start - Programs, you will know right away is ISA is installed. It should be a program group and there should be an ISA Management tool. If it is installed, you probably need to create a rule to allow FTP out and in from the local network.

If you're not using ISA, I'm not sure how to configure a Windows server as a router, which sounds like what you are doing. Maybe you should check the Windows 2003 built in firewall configuration also.

 

[vich]

The 2 nics are configured differently as you described the one id'd as "Ethernet adapter WAN" has our static IP address and the one "Ethernet adapter LAN" has the internal (192.168.1.1) address.

I don't have a program goup with ISA Mgmt Tool. Looks like the server is doing the routing which it seems like I remember them saying to use temp until a hardware based firewall could be installed.

I can't access ControlPanel\Windows Firewall because I get a message "Windows Firewall can not run because another program or service is running that might use the network address translation component IPNat.sys"

Thanks for the suggestions

 

[pgaliardo]

OK - that message makes sense. It means that you are probably running RRAS on the server (Routing and Remote Access). Unfortunately, I don't use RRAS so I can't offer much help on it. If your consultants or others on this forum can offer some suggestions you might make some headway. I believe RAS has it's own built in firewall. I'm not sure how difficult it is to allow ftp for the internal network through the firewall, but that seems to be what you need to do.

 

[WhoKilledKenny]

pgailardo is on the right track, can you confirm that RRAS is running on your server?

Another thing I would ask you to do is run the route print command from the command prompt. You should have a defualt route pointing to 0.0.0.0 - If you have two defualt routes it would cause routing issues with your servers, as you (can) but should not have two defualt routes.
CMD - c:\route print
This is usually cause by two nics pointing to two different subnets both of which have default gateways set in their TCP/IP propterties.

If all looks good with the routing table, attempt pings and tracerts to internal and external IP address. If RRAS is running look at the firewall configuration for the cause of the issue.

 

[vich]

We do have RRAS running.
I am not sure how to read the routing table.
The 2 nics do have different subnets the
WAN is 255.255.255.248 the
LAN is 255.255.255.0
The LAN does not have a default gateway while the WAN is one of our static IP addresses.

I'm not sure if this is too complicated or not but I appreciate the help. I am not getting much from our support company so I am trying to figure out myself.

Has the info I given helped any?

 

[WhoKilledKenny]

Since you are using RRAS to link between the outside and your internal network, I can't stress enough the importance to make sure you understand the affect of any changes you make.
To see the routing table - open RRAS and under IP Routing you may see "Static Routes" - if you do, right-click and choose "Show IP Routing Table.

 

[vich]

WhoKilledKenny - I clearly understand your point. I have managed large IT shops but never was into the details of the network like this. I am just trying to see if there is something I can see with everyones help(MANY THANKS By the way). I understand conceptually much of what has been discussed but have never had to work in that level of detail.

My IT support company is not taking care of us and seem to be stumped and too busy so I may be shopping. Anyway my problem is one of my apps won't send out jpg files. They had us test by trying to ftp to their site which fails. I can ftp on the server but not any of the network attached pc's.

This may be futile to resolve this way but I do appreciate any assistance.

 

[FloDiggs]

Sorry I couldn't follow up on my first post, but for what it's worth, a good consulting company's first recommendation should be to buy a real statefull packet inspection firewall instead of simply letting NAT/PAT be your only real form of protection. If someone attacked your network right now, you would be pretty vulnerable.

 

[pgaliardo]

I think WhoKilledKenny nailed it when he said to check the firewall configuration on RRAS. It definitely sounds like port 21 is blocked for the internal network. Like I said, I don't know how to configure the firewall on RRAS, but I think that is the place to start looking.