TR: FTP access filter bug or NAT bug ?!

• From: Support Informatique <support@xxxxxxxxxxx>
• To: "'isalist@xxxxxxxxxxxxx'" <isalist@xxxxxxxxxxxxx>
• Date: Thu, 18 Apr 2002 09:51:40 -0400

Nobody answered me on that... We found the bug:

http://support.microsoft.com/default.aspx?scid=kb;EN-US;q288247

Métek Demers
Administrateur réseau MCSE NT 4.0
Courriel: support@xxxxxxxxxxx

Collège d'affaires Ellis
Téléphone: 819-477-3113
Sans frais: 1-800-869-3113
Site Web:  http://www.ellis.qc.ca


-----Message d'origine-----
De : Support Informatique [mailto:support@xxxxxxxxxxx]
Envoyé : 9 avril 2002 12:35
À : [ISAserver.org Discussion List]
Objet : [isalist] FTP access filter bug or NAT bug ?!


http://www.ISAserver.org


Hello,

My network is configured like this:  My ISA is Win 2000 adv.server NO A/D
SP2. ISA is SP1.  I have the internet, the firewall and then the local
network (10.10.20.X).  FTP access filter is enable. I put a Protocol rule
with the FTP(protocol defined by ISA) allowing all people in the local
network to access any FTP site.

The Ip packet filtering is enabled but nothing is blocked.

The ISA server got 4 IP on the same network card: 205.237.46.254,
205.237.46.227, 205.237.46.228, 205.237.46.240. (I think that the trouble is
here...)

The default external IP is 205.237.46.254

When a internal client (SecureNAT) is going on a FTP server on the internet
and the PASSIVE TRANSFERS are enabled, they can connect, upload, change
directory, ... but they CAN'T download anything.

I checked the log of ISA and look what it did !!!  It changes IP.  Like if
my ISA, when doing is NAT, wasn't putting the default external IP as source
IP.  So when the FTP server tried to send the file, it blocked...

(FTP TRANSFER ENABLED IN WS_FTP95 LE)

2002-04-08      20:48:07        205.237.46.254  207.253.225.130 Tcp
11292   21      ALLOWED
2002-04-08      20:48:07        207.253.225.130 205.237.46.254  Tcp     21
11292   ALLOWED
2002-04-08      20:48:07        207.253.225.130 205.237.46.240  Tcp     1230
11295   ALLOWED
2002-04-08      20:48:07        207.253.225.130 205.237.46.240  Tcp     1230
11295   ALLOWED

I tried to remove all IP but not 205.237.46.254 of my server's network card
and it worked perfectly.

Any patchs ?


Métek Demers
Administrateur réseau MCSE NT 4.0
Courriel: support@xxxxxxxxxxx

Collège d'affaires Ellis
Téléphone: 819-477-3113
Sans frais: 1-800-869-3113
Site Web:  http://www.ellis.qc.ca

• » Related posts
• » Previous by Date
• » Next by Date
• » This Month's Archive
• » Main Archive Page
• » View list details
• » Manage your subscription