[isalist] Re: [ISAserver.org Discussion List] FTP Servers

  • From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
  • To: <isalist@xxxxxxxxxxxxx>
  • Date: Wed, 22 Mar 2006 13:54:34 -0800

http://www.ISAserver.org
-------------------------------------------------------

As has been stated repeatedly in this thread, you're the only one experiencing 
this problem. 
I hit FTP sites all the time using web proxy, FWC and SecureNET hosts with no 
issues.

Do this:
1. Start two instances of netmon or Ethereal) on the ISA; one capturing the 
external and the other capturing the internal NIC
2. create your failed scenario
3. stop the captures
4. get an IASInfo
5. send them to me, or Tom or whomever you prefer

You're making sweeping statements with no proof of anything.

-------------------------------------------------------
   Jim Harrison
   MCP(NT4, W2K), A+, Network+, PCG
   http://isaserver.org/Jim_Harrison/
   http://isatools.org
   Read the help / books / articles!
-------------------------------------------------------
 

-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Andrew English
Sent: Wednesday, March 22, 2006 12:22
To: isalist@xxxxxxxxxxxxx
Subject: RE: [isalist] Re: [ISAserver.org Discussion List] FTP Servers
Importance: High

I see this being a big mix up. I am not talking about PASV mode not working, I 
am talking about non-PASV mode not working. Turn your PASV mode off and connect 
to an FTP server that uses either or, or no PASV mode at all and I doubt you 
will be able to connect. 
 
I have been asking why is this possible on Linksys routers, and now seems to be 
possible on this WatchGuard Firebox V60 but no possible on ISA 2004?
 
Regards,
Andrew

________________________________

From: isalist-bounce@xxxxxxxxxxxxx on behalf of Steve Moffat
Sent: Wed 22/03/2006 2:55 PM
To: ISA Mailing List
Subject: [isalist] Re: [ISAserver.org Discussion List] FTP Servers



Must be something silly....I have no issues with either mode. Either with or 
without the FW client.

 

 

                                350 Restarting at 0. Send STORE or RETRIEVE.

COMMAND:>           PASV

                                227 Entering Passive Mode (66,220,30,30,10,175)

COMMAND:>           LIST

STATUS:>               Connecting FTP data socket 66.220.30.30:2735...

                                150 Opening ASCII mode data connection for 
/bin/ls.

                                226 Transfer complete.

STATUS:>               Directory listing completed.

________________________________

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Andrew English
Sent: Wednesday, March 22, 2006 3:53 PM
To: ISA Mailing List
Subject: RE: [isalist] Re: [ISAserver.org Discussion List] FTP Servers

 

Ah no.

 

FTP and FTP Server are in the rule. I have even tried it with just FTP and 
received the same response. It's only when I enable PASV and the port ranges 
does the connection work.

 

Regards,

Andrew

 

________________________________

From: isalist-bounce@xxxxxxxxxxxxx on behalf of Jim Harrison
Sent: Wed 22/03/2006 2:19 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: [ISAserver.org Discussion List] FTP Servers

http://www.ISAserver.org
-------------------------------------------------------
 
You *can* use "server" protocols in access rules, but the won't allow traffic 
from the internal to the external net.
I seriously doubt that Andy has tested this with any reasonable process.

-------------------------------------------------------
   Jim Harrison
   MCP(NT4, W2K), A+, Network+, PCG
   http://isaserver.org/Jim_Harrison/
   http://isatools.org
   Read the help / books / articles!
-------------------------------------------------------


-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Thomas W Shinder
Sent: Wednesday, March 22, 2006 11:09
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: [ISAserver.org Discussion List] FTP Servers

Dude,
'preciate ya, but I don't think that can happen. You can use Server PDs in an 
Access Rule, so unless something is more whack than what meets the eye, traces 
are still in order.

Thomas W Shinder, M.D.
Site: www.isaserver.org <http://www.isaserver.org/>
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> MVP -- ISA Firewalls




________________________________

        From: isalist-bounce@xxxxxxxxxxxxx 
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Steve Moffat
        Sent: Wednesday, March 22, 2006 1:02 PM
        To: ISA Mailing List
        Subject: [isalist] Re: [ISAserver.org Discussion List] FTP Servers
       
       

        That's OK...I'll keep you and Jim on the right track...J

        

________________________________

        From: isalist-bounce@xxxxxxxxxxxxx 
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder
        Sent: Wednesday, March 22, 2006 3:02 PM
        To: ISA Mailing List
        Subject: [isalist] Re: [ISAserver.org Discussion List] FTP Servers

        

        LOL! I didn't even notice that, it got lost in the noise :))

        

        Thomas W Shinder, M.D.
        Site: www.isaserver.org <http://www.isaserver.org/>
        Blog: http://blogs.isaserver.org/shinder/
        Book: http://tinyurl.com/3xqb7
        MVP -- ISA Firewalls

        

                

________________________________

                From: isalist-bounce@xxxxxxxxxxxxx 
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Steve Moffat
                Sent: Wednesday, March 22, 2006 12:57 PM
                To: ISA Mailing List
                Subject: [isalist] Re: [ISAserver.org Discussion List] FTP 
Servers

                You are such a complete ass Andrew....the server protocol is 
for publishing your own FTP servers. You want to allow the FTP protocol.

                

                S

                

________________________________

                From: isalist-bounce@xxxxxxxxxxxxx 
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Andrew English
                Sent: Wednesday, March 22, 2006 3:04 PM
                To: ISA Mailing List
                Subject: RE: [isalist] Re: [ISAserver.org Discussion List] FTP 
Servers

                

                Jim,

                

                None of the workstations use the web proxy, or firewall client 
software of ISA 2004. They use Secure NAT, they are going out through ISA like 
if you had a dummy Linksys cable DSL router.

                

                Example:

                

                ISA is on 192.168.1.1

                

                GW: for all clients on the DHCP server is 192.168.1.1, again 
there is no web proxy setup and no firewall client ware installed.

                

                Secondly what I meant in my other comment which you are so 
egger to twist around is that I have not tampered with the default firewall 
settings of ISA, yes I have added my own rules to the system, but if you look 
at the default core settings for ICMP, etc they have all been left alone.

                

                Now are you going to keep acting this way if I say, you know 
Jim I installed a new ISA server that only had two rules in it, one for the FTP 
server to the outside using the default FTP Server protocol, and the other 
which is the default DENY rule that ISA creates? Are you going to blame on the 
web proxy or firewall client if neither are installed or being used?

                

                Lets be realistic here, if you don't know the answer why ISA 
out of the box with two rules in it won't connect to FTP servers that don't use 
passive mode why make a fuss of it? Why not ask Bill to loan you one his boxes, 
install ISA 2004, email me for a couple test accounts and go to town, then say 
geez you know there is a bug or maybe Microsoft doesn't care?  You have the 
time and certainly the money to investigate it further, than I do yet you keep 
hounding people to show you more evidence before you will get off your dairy 
air and do something.. ;)

                

                Regards,

                Andrew

                

________________________________

                From: isalist-bounce@xxxxxxxxxxxxx on behalf of Jim Harrison
                Sent: Wed 22/03/2006 12:33 PM
                To: isalist@xxxxxxxxxxxxx
                Subject: [isalist] Re: [ISAserver.org Discussion List] FTP 
Servers

                http://www.ISAserver.org
                -------------------------------------------------------
                
                No - you said:
                "I seem to only be able to get access to FTP servers using PASV 
modem on my workstations that are setup under secure NAT".
                This leaves the failing case hanging somewhere between web 
proxy and firewall clients.
                You also stated:
                "..I have had to reinstall ISA 2004.." and "Nothing on the ISA 
configuration level has been modified or changed", which are just a bit 
contradictory.
               
                You haven't given anyone anything to work from, like:
                - client errors
                - ISA logs
                - captures
               
                If the problem is important enough to involve an entire list, 
its important enough to provide something more than conjecture and 
contradiction.
               
                There are a great many FTP servers that disallow active mode; 
and with good reason.
               
                -------------------------------------------------------
                   Jim Harrison
                   MCP(NT4, W2K), A+, Network+, PCG
                   http://isaserver.org/Jim_Harrison/
                   http://isatools.org
                   Read the help / books / articles!
                -------------------------------------------------------


All mail to and from this domain is GFI-scanned.

------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx


All mail to and from this domain is GFI-scanned.

------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx

Other related posts: