[isalist] Re: FW: FW: FTP Access Error

  • From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
  • To: <isalist@xxxxxxxxxxxxx>
  • Date: Thu, 30 Mar 2006 06:35:23 -0800

http://www.ISAserver.org
-------------------------------------------------------
  
Nope - NAT has nothing to do with it.
The FTP server is ignoring your PORT command.

-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Corciega, Michael P.
Sent: Thursday, March 30, 2006 3:01 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: FW: FW: FTP Access Error

http://www.ISAserver.org
-------------------------------------------------------
  
Jim....Now I know why it this traffic can pass thru Squid, because it
was setup as Routing unlike my ISA2K4 it setup as NAT.

Mykel


-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Jim Harrison
Sent: Tuesday, March 28, 2006 10:46 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: FW: FW: FTP Access Error

http://www.ISAserver.org
-------------------------------------------------------
  
It's a flaky FTP server.
If you go to the forms section and try to download any of the listed
files, you'll get the described behavior.
I grabbed a cap and here's the upshot:

Source             Dest                   Command
66.114.140.242:4672  203.215.79.208:21    'PORT 66,114,140,242,18,65'
203.215.79.208:21          66.114.140.242:4672    '200  PORT command
successful. Consider using PASV.'
66.114.140.242:4672  203.215.79.208:21    'RETR
/webadmin1/zip/180072110.zip'
203.215.79.208:21          66.114.140.242:4672    TCP_ACK to 'RETR'
frame
203.215.79.208:21          66.114.140.242:4672    '425  Failed to
establish connection.'

Notice what's missing?
The FTP server *never* tried to connect to the IP/port specified in the
'PORT' command.  If you don't know how this operates, the PORT command
specifies the IP and port that the FTP server should connect to when
sending data (not command responses).  In this case it should have tried
to connect to IP 66.114.140.242 on TCP:4673.  We know this because the
numbers in the port command translate like unto thusly:
'PORT 66,114,140,242,18,65' == "PORT IP=66.114.140.242,
PORT=(18*256)+65".

Thus, after the 'RETR' command, we *should have* seen a packet formed
as:
203.215.79.208:20          66.114.140.242:4673    TCP_SYN

..but we didn't.
Tell them to fix their server.

-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Jim Harrison
Sent: Tuesday, March 28, 2006 6:15 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: FW: FW: FTP Access Error

http://www.ISAserver.org
-------------------------------------------------------
  
You might want to be a bit more specific.
An HTTP:// link will go nowhere for reproducing an FTP problem.

-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Corciega, Michael P.
Sent: Monday, March 27, 2006 11:04 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: FW: FW: FTP Access Error

Yeah I know.... this is my ridiculous move.... To open all ports
(internal to external) just to check if it requires a different port to
pass thru (just testing) .... But just the same it passes thru FTP port
but still I still get the same error.
 
You may try to visit the site http://www.bir.gov.ph
<http://www.bir.gov.ph/>  and I tell you'll get the same error. 
 
 
Mykel
 
 
________________________________

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Steve Moffat
Sent: Monday, March 27, 2006 10:52 PM
To: ISA Mailing List
Subject: [isalist] Re: FW: FW: FTP Access Error
 
All ports open...dear dear.
 
Create an FTP access rule and it'll likely start working.
 
The allow all protocols rule doesn't actually mean allow all.
 
S
 
________________________________

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Corciega, Michael P.
Sent: Monday, March 27, 2006 10:17 AM
To: ISA Mailing List
Subject: [isalist] Re: FW: FW: FTP Access Error
 
Already turned on. If I divert my connection to a different proxy server
(squid) I can get thru. But if I pass thru ISA2000 or 2004 with all
ports open, stlll I get the same error.
 
Mykel 
 
 
________________________________

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Michael Ross
Sent: Monday, March 27, 2006 9:34 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: FW: FW: FTP Access Error
 
turn on "use folder view for FTP sites" in your browser.
 
________________________________

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Steve Moffat
Sent: Monday, March 27, 2006 4:29 AM
To: ISA Mailing List
Subject: [isalist] Re: FW: FW: FTP Access Error
Not enough information. Check the ISA logs.
 
S
 
________________________________

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Corciega, Michael P.
Sent: Monday, March 27, 2006 6:24 AM
To: ISA Mailing List
Subject: [isalist] FW: FW: FTP Access Error
 
Hi Everyone,
 
When I try to access this site http://www.bir.gov.ph
<http://www.bir.gov.ph/>  and download any files (exe, pdf, etc.) from
the links on the page. I always get the error below on my browser. What
could be the reason? 
 
I allowed FTP access. Also make sure that PASSIVE tick box is checked on
IE.

ISA Server: extended error message : 

200 Switching to Binary mode.
200 PORT command successful. Consider using PASV.
425 Failed to establish connection.
 
 
Mykel
 

All mail to and from this domain is GFI-scanned.

------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/  
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp 
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/ 
ISA Server Blogs: http://blogs.isaserver.org/ 
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com 
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp 
Report abuse to listadmin@xxxxxxxxxxxxx 


All mail to and from this domain is GFI-scanned.

------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/  
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp 
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/ 
ISA Server Blogs: http://blogs.isaserver.org/ 
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com 
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp 
Report abuse to listadmin@xxxxxxxxxxxxx 

------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/  
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp 
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/ 
ISA Server Blogs: http://blogs.isaserver.org/ 
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com 
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp 
Report abuse to listadmin@xxxxxxxxxxxxx 


All mail to and from this domain is GFI-scanned.

------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/  
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp 
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ 
ISA Server Blogs: http://blogs.isaserver.org/ 
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com 
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp 
Report abuse to listadmin@xxxxxxxxxxxxx 

Other related posts: