RE: Cannot access FTP sites...

  • From: "William Robertson" <william.robertson@xxxxxxxxx>
  • To: "'[ISAserver.org Discussion List]'" <isalist@xxxxxxxxxxxxx>
  • Date: Fri, 17 Jan 2003 18:50:31 +0200

Hi guys

I have been struggling with this issue for quite some time now, but I am
damned if I know what is wrong. If you don't mind, I'm just going to
rattle on about my problem in order to clarify it for myself, and
hopefully someone can maybe shed a little light as well.

The setup:
I am running ISA 2000 w/ SP1 and FP1. I have 2 hotfixes installed (the
only ISA HFixes available I think). I have 1 WEB Filter installed called
Surfcontrol WEB Filter. My ISA server is on the Internal side of a PIX
Firewall.

The Rules:
I have the following FTP Rules:
 - Allow protocol FTP (Outbound TCP port 21) to specific user group
Internet Surfers
 - Allow all sites to specific user group Internet Surfers
This is the way that these rules have always been, and nothing has
changed here. There are also no DENY rules in place, anywhere.

The problem:
About 1-2 weeks ago, I discovered that I was unable to browse FTP sites
at all. If I try to open an FTP site via a WEB Browser (clients are
setup as WEB Proxy clients) then I get this error:
ISA Server: extended error message : 
200 Type set to A.
200 PORT command successful.
425 Can't build data connection: Connection refused

If I try to connect to an FTP site (e.g. ftp.tacteam.net) via the
command line (which also always used to work), I get prompted for a
username and password. When I connect as anonymous, I can successfully
login, but as soon as I try to perform any commands such as DIR etc, on
ftp.tacteam I just get no response. It is as if the connection is
hanging.

If I try to connect to another website, I actually then get the same
"connection refused" error as mentioned above. Tom, can you perhaps
explain why I "hang" on your site, but get denied errors on other sites?

The other problem is that on my ISA Server, I am able to see FTP traffic
going through, I can also see the FTP traffic going through the PIX
Firewall, so this means that I am definitely getting out of my network
on the FTP control channel, but I cannot seem to get back on the FTP
Data Channel.

The only other FTP stuff I have on my ISA Server is a Server Publishing
Rule for the following:
Publish "FTP Server" protocol on ISA's external interface and map it
through to my internal FTP Server.
Now you would think that this is most probably the problem (I know I
did), but even after disabling this publishing rule, it still doesn't
work.

Now I thought I would get clever and do a "netstat -an" on my ISA Server
to see what was happening, and all I found was this:
  TCP    <ISA's External Interface>:21      0.0.0.0:0
LISTENING

Now that doesn't look too worrying (I think) so now I really don't know
what to do.

Would someone perhaps have any comments on all of my ramblings,
something that makes sense of all this madness?

Thanks for your time,
Cheers
William R.




-----Original Message-----
From: William Robertson [mailto:robertson.william@xxxxxxxxxxxxxx] 
Sent: 10 January 2003 15:45 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Cannot access FTP sites...

http://www.ISAserver.org


Hi there

I have just discovered that I can no longer browse any FTP site. I have
for example tried connecting to the following within my IE Web Browser:
ftp://ftp.microsoft.com
ftp://ftp.europe.datafellows.com (our anti-virus application)
ftp://ftp.is.co.za (our ISP)

and all of them return the following error:
ISA Server: extended error message : 
200 Type set to A.
200 PORT command successful.
425 Can't build data connection: Connection refused

I have also tried connecting from the cmdline but I get the exact same
error as above.

All clients are set up as WEB Proxy, Firewall and SNat clients. I used
to
be able to access FTP Sites quite alright, but I cannot for the life of
me
think what has changed.

My S&C Rules and Protocol Rules do allow FTP Outbound Access, along with
HTTP & HTTPS.

Any ideas would be most appreciated...

Cheers
William R.

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Exchange Server Resource Site: http://www.msexchange.org/
Windows Security Resource Site: http://www.windowsecurity.com/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
robertson.william@xxxxxxxxxxxxxx
To unsubscribe send a blank email to
$subst('Email.Unsub')



Other related posts: