You can confirm that FW-1 is dropping the return port like Ben suggests by
sniffing the line when the problem is occuring. Any sniffer app should do
the trick but if you don't have a commercial one to use, tcpdump is pretty
solid and easy to use. I think its only *nix based so it won't work on a
Windows system but its still worth a shot if you happen to have a *nix
system that can be on the same line as the FW-1 box. Try www.tcpdump.org to
download the software. Hope this helps.
opiesan
>From: Ben Nagy <[EMAIL PROTECTED]>
>To: "'Shane Miller'" <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
>Subject: RE: FTP'ing through 2 firewalls
>Date: Tue, 28 Nov 2000 09:41:18 +1030
>MIME-Version: 1.0
>Received: from [209.182.195.137] by hotmail.com (3.2) with ESMTP id
>MHotMailBBEC361F0023D821EEC8D1B6C389127B0; Mon Nov 27 15:15:43 2000
>Received: (qmail 21305 invoked by uid 15); 27 Nov 2000 23:12:14 -0000
>Received: from sydexch001.marconi.com.au (sydfw001.marconi.com.au
>[203.17.180.68])by spike.rwc.gnac.net (8.8.8/8.8.8) with SMTP id
>PAA21296for <[EMAIL PROTECTED]>; Mon, 27 Nov 2000 15:12:08 -0800
>(PST)
>Received: from SMTP agent by mail gateway Tue, 28 Nov 2000 10:09:12 --1000
>Received: from adebdc001.marconi.com.au (sa02.scitec.com.au
>[203.23.126.165]) by sydexch001.marconi.com.au with SMTP (Microsoft
>Exchange Internet Mail Service Version 5.5.2650.21)id XPMCPFTS; Tue, 28 Nov
>2000 10:11:23 +1100
>Received: by adebdc001.sa.marconi.com.au with Internet Mail Service
>(5.5.2650.21)id <XPY8KPQA>; Tue, 28 Nov 2000 09:41:19 +1030
>From [EMAIL PROTECTED] Mon Nov 27 15:16:10 2000
>Delivered-To: [EMAIL PROTECTED]
>Message-ID:
><[EMAIL PROTECTED]>
>X-Mailer: Internet Mail Service (5.5.2650.21)
>Sender: [EMAIL PROTECTED]
>Precedence: bulk
>X-Loop: [EMAIL PROTECTED]
>
>I would suggest that the FW-1 is dropping the return FTP high port
>connection.
>
>Try "passive" FTP from site B and see if that works. If so, make sure that
>the FW-1 is configured to use non-PASV FTP. Or, better still, deal with
>only
>being able to use PASV from site B.
>
>When Mike's little FTP bug came out, the initial recommendation was to
>disable active FTP - they may have done that and not remembered.
>
>Cheers,
>
>--
>Ben Nagy
>Marconi Services
>Network Integration Specialist
>Mb: +61 414 411 520 PGP Key ID: 0x1A86E304
>
> > -----Original Message-----
> > From: Shane Miller [mailto:[EMAIL PROTECTED]]
> > Sent: Tuesday, 28 November 2000 7:17
> > To: [EMAIL PROTECTED]
> > Subject: FTP'ing through 2 firewalls
> >
> >
> > I have a problem I hope some people on this list could shed
> > some light on.
> >
> > Site A has the following:
> > Packet filtering firewall with stateful inspection forwarding
> > port 21 to a
> > MS FTP server.
> >
> > Site B has the following:
> > Checkpoint FW-1 forwarding 21 to MS FTP server.
> >
> > Site A can connect to Site B via DOS FTP with fully
> > functional data and
> > control sessions.
> > Site B can connect to Site A via DOS FTP and not achieve a
> > data connection.
> > Only log in.
> >
> > Does this have anything to do with an Application proxy, if
> > that is what
> > FW-1 uses.
> > Hopefully this info isn't too sketchy. I can elaborate if needed.
> > Any hints, recommendations, URLs, or one-liners would be appreciated.
> >
> > Thanks in advance,
> > Shane
> > [EMAIL PROTECTED]
> >
>-
>[To unsubscribe, send mail to [EMAIL PROTECTED] with
>"unsubscribe firewalls" in the body of the message.]
_____________________________________________________________________________________
Get more from the Web. FREE MSN Explorer download : http://explorer.msn.com
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
