Re: FTP Non-Standard Ports

• From: "Chris Bond" <chris@xxxxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Tue, 5 Feb 2002 16:32:23 -0000

MessageIve tried to do this for a while no, not had any luck.  Let me know if 
you come up with a solution, all my machines are SecureNAT clients.
  ----- Original Message ----- 
  From: Logan Ramirez 
  To: [ISAserver.org Discussion List] 
  Sent: Tuesday, February 05, 2002 4:35 PM
  Subject: [isalist] FTP Non-Standard Ports


  http://www.ISAserver.org


  Does anyone know why it is so difficult to ftp to a non-standard port?

  Maybe it's just me...

  Back to back private DMZ setup, and FTP in both directions (from internal 
network and external network into DMZ) work perfectly on standard port 21 in 
both active and passive modes, however, when I try to FTP to another port, I 
get either 500 INVALID PORT COMMAND or Operation Timed Out (depending on PORT 
or PASV mode, respectively).

  I am testing with IE 6.0 and also with command line ftp (windows XP) from 
internal network.

  I dropped a sniffer on all 3 devices, internal host, internal ISA, and DMZ 
ftp server (IIS running on windows 2000 DC) and watched the packets float 
across, and even in true passive mode, with an 'all ports allowed' packet 
filter enabled and a 'all protocol allowed' filter, only standard port 21 
worked.  

  So strange though...same testing environment, from internal host into DMZ, 
and when in passive mode I see the packets generated as such for port 21: 
(numbers made up for convenience)

  client 2872 -->  server 21
  server 21 ---> client 2872 (with PORT command informing client of its 
listening data port)
  client 3154 --> server 5156 
  server 5156 --> client 3154

  for ftp to non-standard port, say 5153:

  client 2872 -->  server 5153
  server 5153 ---> client 2872 (with PORT command informing client of its 
listening data port)
  client 3154 --> server 5156 
  No server response.  Operation timed out.  

  The packet is never seen on the FTP server, but what the heck is so different 
about a client making a second request to some random high port when it's 
initial request was to standard FTP port 21 versus a client making a request to 
some random high port when it's initial request was to non-standard FTP port 
5153?  

  I tried SP1, firewall client software (may have done this incorrectly), 
making the client a secureNAT client...

  Sure could use some conversation to get more ideas flowing.

  Hope this finds all well.

  Logan
  ------------------------------------------------------
  You are currently subscribed to this ISAserver.org Discussion List as: 
chris@xxxxxxxxxxxxx
  To unsubscribe send a blank email to $subst('Email.Unsub') 

Other related posts:

• » FTP Non-Standard Ports
• » Re: FTP Non-Standard Ports
• » RE: FTP Non-Standard Ports
• » RE: FTP Non-Standard Ports
• » RE: FTP Non-Standard Ports
• » RE: FTP Non-Standard Ports

1. Home
2. isalist
3. Archive
4. 02-2002

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---