FTP Connection timeout issue 1

[zoeythecat]

Hi All,

I have a server where I setup a FTP Server (VIA IIS). Confident I setup everything properly. I setup the permissions to the folder the users will be transferring files from. On this server there is NAT setup for external IP. I'll call this servers IP Address internally (192.168.60.1) and the NAT as (12.16.86.10) just for example. From my workstation internally I can FTP no problem. When I am outside our network and I try to connect via my FTP program using IP 12.16.86.10 it appears it wants to connect but then I get a connection error.

On our Checkpoint firewall we setup rules to accept FTP traffic to this server. I'm not too familar with the firewall and configuring the rules. But again it appears that FTP Port21 is open for this server. Could I be overlooking anything?

TIA for any suggestions.

Zoey

 

[rn4it]

Have you looked in the logfile to see if it is being accepted or not? Also is your NAT rule 2way? confirm that the FW is NATing properly.

 

[zoeythecat]

I will check the logfile (I assume the logfile you are talking about is the log from the Firewall?). The NAT rule I believe is 2 way. The internal IP Address is configured with the NAT tab being configured with the 12.x address. This same rule allows us access via OWA so I know the rule is working in that regard, so I know NAT is working.

Thanks for your input.

 

[Piloria]

check you are using static NAT and not hide NAT

 

[zoeythecat]

Piloria,

We are using static NAT.

Are there any known issues with FTP and NAT?

 

[Piloria]

a few things to check
if you can do a port scan to the FTP servers IP address (see if port 21 is open)
when you try and connect to the FTP server are you getting any entries into the firewall logs showing an attept to connect to the FTP server.
Also if the connection through the firewall is ok are you getting any entries into the FTP servers logs showing an attempted connection?

As for NAT and FTP there are no problems that i know of.

 

[rn4it]

The only issue with FTP that I know of is if you have automated multiple files being FTP'd through the firewall. It seems to be noticed more if it's many small files(less then a Meg), rather then many large files(5MB+). This is caused by a script that runs in CP anytime data is sent on a different port then requested on. This is a known issue and there's a resolution listed for it.

 

[michaylukr]

What version of Checkpoint software are you running? There are issues with FTP for 4.1 that I know of, if that's what you're on. The links for the problems and their fixes are:

http://www.firewall-1.org/2001-02/msg00414.html

https://citadelle.intrinsec.com/mailing/current/HTML/ml_firewall-1/18418.html

Maybe those will help.

 

[zoeythecat]

Michaylukr,

Looks like an awesome link that may take care of my problem (hopefully). The software I use to create and monitor the policies is called Checkpoint Smartdashboard (R54). I believe it is version 5 and not 4.1. Would this still apply here? We did have Checkpoint 4.1 but when we upgraded the software we use is Checkpoint Smart Console R54

Thanks much for the links

 

[michaylukr]

I don't know if those problems still exist in NG (that's the equivalent to v5, sorta . I did find the following that seemed to talk about the same problems under NG:

http://www.firewall-1.org/2002-05/msg00485.html

Of note, is that they mention that Checkpoint warns against manually editing base.def anymore and calling support. When your connection fails, do you see a reject in your logs?

 

[zoeythecat]

I will test the FTP connection to see if I can see any reject activity in the logs and post back on Monday.

Thanks a lot for your help and links.

 

[zoeythecat]

Problem solved,

Had 2 similar rules defined. 1 rule was specified to accept FTP, SMTP and the 2nd rule (with same destinations, same source, same server IP Address and NAT)was setup to accept FTP, HTTP. So when we turned on logging and installed the policy it showed the rule being in error. So I moved up HTTP into the first rule, disabled the 2nd rule then I tested FTP connection with no problems.

Thanks everyone for your help and thanks to michaylukr for the helpful links.