http://www.ISAserver.org ------------------------------------------------------- Nope - NAT has nothing to do with it. The FTP server is ignoring your PORT command. -----Original Message----- From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Corciega, Michael P. Sent: Thursday, March 30, 2006 3:01 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: FW: FW: FTP Access Error http://www.ISAserver.org ------------------------------------------------------- Jim....Now I know why it this traffic can pass thru Squid, because it was setup as Routing unlike my ISA2K4 it setup as NAT. Mykel -----Original Message----- From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison Sent: Tuesday, March 28, 2006 10:46 PM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: FW: FW: FTP Access Error http://www.ISAserver.org ------------------------------------------------------- It's a flaky FTP server. If you go to the forms section and try to download any of the listed files, you'll get the described behavior. I grabbed a cap and here's the upshot: Source Dest Command 66.114.140.242:4672 203.215.79.208:21 'PORT 66,114,140,242,18,65' 203.215.79.208:21 66.114.140.242:4672 '200 PORT command successful. Consider using PASV.' 66.114.140.242:4672 203.215.79.208:21 'RETR /webadmin1/zip/180072110.zip' 203.215.79.208:21 66.114.140.242:4672 TCP_ACK to 'RETR' frame 203.215.79.208:21 66.114.140.242:4672 '425 Failed to establish connection.' Notice what's missing? The FTP server *never* tried to connect to the IP/port specified in the 'PORT' command. If you don't know how this operates, the PORT command specifies the IP and port that the FTP server should connect to when sending data (not command responses). In this case it should have tried to connect to IP 66.114.140.242 on TCP:4673. We know this because the numbers in the port command translate like unto thusly: 'PORT 66,114,140,242,18,65' == "PORT IP=66.114.140.242, PORT=(18*256)+65". Thus, after the 'RETR' command, we *should have* seen a packet formed as: 203.215.79.208:20 66.114.140.242:4673 TCP_SYN ..but we didn't. Tell them to fix their server. -----Original Message----- From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison Sent: Tuesday, March 28, 2006 6:15 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: FW: FW: FTP Access Error http://www.ISAserver.org ------------------------------------------------------- You might want to be a bit more specific. An HTTP:// link will go nowhere for reproducing an FTP problem. -----Original Message----- From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Corciega, Michael P. Sent: Monday, March 27, 2006 11:04 PM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: FW: FW: FTP Access Error Yeah I know.... this is my ridiculous move.... To open all ports (internal to external) just to check if it requires a different port to pass thru (just testing) .... But just the same it passes thru FTP port but still I still get the same error. You may try to visit the site http://www.bir.gov.ph <http://www.bir.gov.ph/> and I tell you'll get the same error. Mykel ________________________________ From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Steve Moffat Sent: Monday, March 27, 2006 10:52 PM To: ISA Mailing List Subject: [isalist] Re: FW: FW: FTP Access Error All ports open...dear dear. Create an FTP access rule and it'll likely start working. The allow all protocols rule doesn't actually mean allow all. S ________________________________ From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Corciega, Michael P. Sent: Monday, March 27, 2006 10:17 AM To: ISA Mailing List Subject: [isalist] Re: FW: FW: FTP Access Error Already turned on. If I divert my connection to a different proxy server (squid) I can get thru. But if I pass thru ISA2000 or 2004 with all ports open, stlll I get the same error. Mykel ________________________________ From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Michael Ross Sent: Monday, March 27, 2006 9:34 PM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: FW: FW: FTP Access Error turn on "use folder view for FTP sites" in your browser. ________________________________ From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Steve Moffat Sent: Monday, March 27, 2006 4:29 AM To: ISA Mailing List Subject: [isalist] Re: FW: FW: FTP Access Error Not enough information. Check the ISA logs. S ________________________________ From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Corciega, Michael P. Sent: Monday, March 27, 2006 6:24 AM To: ISA Mailing List Subject: [isalist] FW: FW: FTP Access Error Hi Everyone, When I try to access this site http://www.bir.gov.ph <http://www.bir.gov.ph/> and download any files (exe, pdf, etc.) from the links on the page. I always get the error below on my browser. What could be the reason? I allowed FTP access. Also make sure that PASSIVE tick box is checked on IE. ISA Server: extended error message : 200 Switching to Binary mode. 200 PORT command successful. Consider using PASV. 425 Failed to establish connection. Mykel All mail to and from this domain is GFI-scanned. ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx All mail to and from this domain is GFI-scanned. ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx All mail to and from this domain is GFI-scanned. ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx