David,
You have a fairly classic FTP problem. Port 20 is designated as the FTP data port but is seldom used. Data connections can use any port above 1024 an usually do. Traditionally the server establishes the data portion of the connection but this created problems with firewalls which traditionally do not permit inbound connections. PASV was put into the FTP protocol to resolve the issue by allowing the client to establish the data connection as an outbound connection.
A couple of years ago I was having a heck of a time getting a virus update from one of the software vendor's sites so I did a Sniffer trace of the transaction. It appears that both Netscape and IE use PASV mode by default for ftp:// accesses. Since IIS supports PASV mode, it should work fine. However, I did discover an interesting problem with IIS on servers with multiple assigned IP addresses. The vendor I was accessing had two addresses assigned to their external ethernet card. DNS resolved the FTP site to the first address but the IIS server attempted to set up data connections using the second address! This seriously confused NAT. The lesson here, don't double number interfaces on your IIS server.
I'm not sure I understand your reasoning for limiting access at the router using ACLs if you have a PIX firewall. If you allow high order ports outbound from you IIS server it should resolve the PASV connection problem.
-- Bill Stackpole, CISSP
| David Shackelford <[EMAIL PROTECTED]>
Sent by: [EMAIL PROTECTED] 07/06/00 08:50 AM
|
To: [EMAIL PROTECTED] cc: Subject: Passive Mode FTP usage & access-lists |
I have been looking at the RFC (1579) relating to ftp PASV and router
access-lists and had a few questions related to a problem I'm encountering.
I've got a FTP server running IIS 4.0 in my DMZ (which is created/protected
by a PIX). I recently changed my Cisco router access-list to deny all but
the protocols I need for business. I'm allowing TCP 20 and 21 in, but many
ftp operations are failing. I realize that this is because the clients are
trying to open restricted ports (in the 2000 range) on the server during
data channel requests. It seems like my trouble, after reading the RFC, is
that we aren't using passive mode. Is this right, and will I be able to
implement this on IIS? Would it be best to just open a larger range of ports
on the router and let the firewall do its work?
Our ftp server is used for both web-URL-based downloads and client batching
projects, so both browsers and various clients will be used to connect to
us.
TIA,
Dave Shackelford
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
