RE: FTP Non-Standard Ports
- From: Logan Ramirez <LoganRamirez@xxxxxxxxxxxxxx>
- To: "'[ISAserver.org Discussion List]'" <isalist@xxxxxxxxxxxxx>
- Date: Tue, 5 Feb 2002 11:15:34 -0600
Firewall method, eh? That must be true when talking about publishing an FTP
server, but I am not trying to publish one in this case. Eventually we may,
but we will not use PUT's in that instance.
In this case, however, we need to put and it is my INTERNAL network going
out to the DMZ. Machines in it's LAT. No publishing involved there. Just
plain ip packet filtering(I believe). A simple protocol rule to allow the
port you need, then I imagined it would work, but this is not the case and
all my troubleshooting attemps have failed, even allowing ALL
protocols/packets through.
What is up with that? I am really starting to believe it is the product,
especially since I am hearing about a lot of people having difficulty as
well.
With continued appreciation of intellectual conversation and field supported
efforts,
Logan
-----Original Message-----
From: Thomas W. Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx]
Sent: Tuesday, February 05, 2002 10:39 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: FTP Non-Standard Ports
http://www.ISAserver.org
Hi Logan,
You must use the FW client method of publishing FTP servers on non-standard
ports.
HTH,
Tom
www.isaserver.org/shinder <http://www.isaserver.org/shinder>
-----Original Message-----
From: Logan Ramirez [mailto:LoganRamirez@xxxxxxxxxxxxxx]
Sent: Tuesday, February 05, 2002 10:35 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] FTP Non-Standard Ports
http://www.ISAserver.org
Does anyone know why it is so difficult to ftp to a non-standard port?
Maybe it's just me...
Back to back private DMZ setup, and FTP in both directions (from internal
network and external network into DMZ) work perfectly on standard port 21 in
both active and passive modes, however, when I try to FTP to another port, I
get either 500 INVALID PORT COMMAND or Operation Timed Out (depending on
PORT or PASV mode, respectively).
I am testing with IE 6.0 and also with command line ftp (windows XP) from
internal network.
I dropped a sniffer on all 3 devices, internal host, internal ISA, and DMZ
ftp server (IIS running on windows 2000 DC) and watched the packets float
across, and even in true passive mode, with an 'all ports allowed' packet
filter enabled and a 'all protocol allowed' filter, only standard port 21
worked.
So strange though...same testing environment, from internal host into DMZ,
and when in passive mode I see the packets generated as such for port 21:
(numbers made up for convenience)
client 2872 --> server 21
server 21 ---> client 2872 (with PORT command informing client of its
listening data port) client 3154 --> server 5156
server 5156 --> client 3154
for ftp to non-standard port, say 5153:
client 2872 --> server 5153
server 5153 ---> client 2872 (with PORT command informing client of its
listening data port) client 3154 --> server 5156
No server response. Operation timed out.
The packet is never seen on the FTP server, but what the heck is so
different about a client making a second request to some random high port
when it's initial request was to standard FTP port 21 versus a client making
a request to some random high port when it's initial request was to
non-standard FTP port 5153?
I tried SP1, firewall client software (may have done this incorrectly),
making the client a secureNAT client...
Sure could use some conversation to get more ideas flowing.
Hope this finds all well.
Logan
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
loganramirez@xxxxxxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')
Other related posts:
