RE: FTP Non-Standard Ports

• From: "Thomas W. Shinder" <tshinder@xxxxxxxxxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Tue, 5 Feb 2002 10:38:38 -0600

Hi Logan,
 
You must use the FW client method of publishing FTP servers on
non-standard ports.
 
HTH,
Tom
www.isaserver.org/shinder <http://www.isaserver.org/shinder> 
 
 
-----Original Message-----
From: Logan Ramirez [mailto:LoganRamirez@xxxxxxxxxxxxxx] 
Sent: Tuesday, February 05, 2002 10:35 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] FTP Non-Standard Ports
 
http://www.ISAserver.org
Does anyone know why it is so difficult to ftp to a non-standard port?
 
Maybe it's just me...
 
Back to back private DMZ setup, and FTP in both directions (from
internal network and external network into DMZ) work perfectly on
standard port 21 in both active and passive modes, however, when I try
to FTP to another port, I get either 500 INVALID PORT COMMAND or
Operation Timed Out (depending on PORT or PASV mode, respectively).
 
I am testing with IE 6.0 and also with command line ftp (windows XP)
from internal network.
 
I dropped a sniffer on all 3 devices, internal host, internal ISA, and
DMZ ftp server (IIS running on windows 2000 DC) and watched the packets
float across, and even in true passive mode, with an 'all ports allowed'
packet filter enabled and a 'all protocol allowed' filter, only standard
port 21 worked.  
 
So strange though...same testing environment, from internal host into
DMZ, and when in passive mode I see the packets generated as such for
port 21: (numbers made up for convenience)
 
client 2872 -->  server 21
server 21 ---> client 2872 (with PORT command informing client of its
listening data port)
client 3154 --> server 5156 
server 5156 --> client 3154
 
for ftp to non-standard port, say 5153:
client 2872 -->  server 5153
server 5153 ---> client 2872 (with PORT command informing client of its
listening data port)
client 3154 --> server 5156 
No server response.  Operation timed out.  
 
The packet is never seen on the FTP server, but what the heck is so
different about a client making a second request to some random high
port when it's initial request was to standard FTP port 21 versus a
client making a request to some random high port when it's initial
request was to non-standard FTP port 5153?  

I tried SP1, firewall client software (may have done this incorrectly),
making the client a secureNAT client...
 
Sure could use some conversation to get more ideas flowing.
 
Hope this finds all well.
 
Logan
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

Other related posts:

• » FTP Non-Standard Ports
• » Re: FTP Non-Standard Ports
• » RE: FTP Non-Standard Ports
• » RE: FTP Non-Standard Ports
• » RE: FTP Non-Standard Ports
• » RE: FTP Non-Standard Ports

1. Home
2. isalist
3. Archive
4. 02-2002

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---