Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

ftp problem - ok on port 99 but not on 21

Status
Not open for further replies.
Hfnet

Hfnet

IS-IT--Management
Dec 31, 2003
369
GB
We have had a server 2003 system running Filezilla Server quite happily until today. We had a Pix 501 firewall on the domain IP range (10.0.0.xxx) but had some issues which meant we had to move it onto a WAN port on the server and onto a different IP range (192.168.2.xxx).

Since then, we can start an ftp session but is disconnects on entering pasv mode. If I change Filezilla server to listen on port 99 it works fine.

Can anyone suggest a reason for it not working on 21 when it did before?
 
Sort by date Sort by votes
Starting an FTP session from where? A machine on the same network? The other side of the Pix?

Can you connect to the FTP server on the actual machine itself (i.e. connecting from itself... to itself..) Does that work?

I don't know what you mean by a WAN port on the server.... Another Ethernet port?

We need to understand your network topology more thoroughly (i.e. need a map of your network).

Rgds

Phil B

 
Upvote 0 Downvote
Trying externally, of course. You cannot browse to an external IP from inside because the Pix cannot route like that.

We have Router -> PIX -> Server01 WAN (NIC with 192.168.2.2 IP)

The server also has a LAN (NIC with 10.0.0.2 IP) so all routing goes outwards through server01 and out through the WAN port (We call them WAN and LAN to differentiate easily)

Routing inwards is controlled by the PIX. The router has our public Gateway IP with no rules, the PIX has a public interface of 1 IP higher than the gateway. The PIX has an internal IP of 192.168.2.1 and has translation rules for https, smtp, pptp, gre and ftp (in this case also a tcp rule for 99) which all route to the server01 WAN port.

The setup was the same effectively when the PIX was on the local network, just with a different internal IP and routed directly to 10.0.0.2 and the ftp worked fine. Now it almost looks like something is being blocked as it cannot connect fully, but the server WAN has no firewall and RRAS is not configured for a firewall either.

Hope this is enough information...
 
Upvote 0 Downvote
Can you FTP to the server from the server itself?
i.e. Can you prove FTP is actually working on the server by connecting from the server.. to the server?

We need to ascertain whether FTP is actually working on port 21. Assuming we can prove it is[/] working then we can work along the chain until it stops working.

Can you FTP from the PIX to the FTP server? You could prove this by using copy running-config ftp . This would allow you to copy your running config on to the ftp server and prove ftp is working.

You have translation rules on the Pix. Any ACLs that might be blocking 21?

 
Upvote 0 Downvote
Yes, like I said it was working fine on 21 until we changed IP addresses. The server is working fine if ftp'ing internally and from itself.

No special rules/ACLs, there is no abnormal setup here, just a basic vpn, email, browsing, ftp setup. All we did was change the internal IP and translation rule IP for server01, the rules remain as they were.

If you ftp from outside it connects, negotiates then falls over, so it's almost like a routing issue. We have enabled tcp 50000 - 50100 and specified this range in the ftp server.
 
Upvote 0 Downvote
Forgot to say, I'll try the running-config idea and post results.
 
Upvote 0 Downvote
FTP inspection may possibly help

FTP is a tricky protocol to get going.

I've enabled ftp inspection our ASA's.

Here's a chunk of the configs on one of our ASA's....


class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect ftp
inspect tftp
inspect icmp

 
Upvote 0 Downvote
Well if the connection drops when it switches to passive mode then this is almost always a firewall/routing issue.

FTP PASV will allow the client to connect on port 99 but will then initiate its own connection back to the client running on high ports (1024 and above).
Normally in the FTP server you can specify which port ranges to use for PASV and then configure your firewall/ACL as needed.

Try testing it from the following site and note the details

Also I suggest you read the following and make sure its configured as needed.

Perhaps look past the fact it works on port 21 as that may have special settings already set on the device due to it being the standard ftp port.

Let us know how you get on.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

ravalos
  • Locked
  • Question
Problem with PDFs in IIS
Replies
1
Views
893
gbaughma
gbaughma
dpellegrini
  • Locked
  • Question
Website will load using hostname but not IP address
Replies
3
Views
834
mangentle
mangentle
DrB0b
  • Locked
  • Question
Windows 2016 IIS FTP server with a ton of user accounts
Replies
4
Views
513
DrB0b
DrB0b
microsGuy16
  • Locked
  • Question
Can not copy files to Mapped drive
Replies
0
Views
423
microsGuy16
microsGuy16
rzammit82
  • Locked
  • Question
Windows Server 2016 - DNS/AD problem
Replies
1
Views
626
suncit
suncit

Part and Inventory Search

Sponsor

Back
Top