Robert,
You are right that there is a long delay between the 20 and 425 messages,
note however that none of the sessions connect (command line FTP, WS_FTP,
IE4, etc) so surely if it were a "hard" problem from the config of the
firewall then all sites would be affected and I wouldn't be able to talk to
ftp.compaq.com for example from all 3 products ?
What is the difference between those two sites for example -- ftp.compaq.com
and ftp.oracle.com ?
I have tested with passive settings on the firewall turned on and off, plus
the same settings passive/active settings in WS_FTP's connection.
Regards
Tim
-----Original Message-----
From: Robert MacDonald [mailto:[EMAIL PROTECTED]]
Sent: 23 June 2000 19:44
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: Re: [FW1] FTP can't connect to certain servers.
Tim,
I bet you have a long pause between the 200/425
messages.
PASV does not work on Windows boxes. Here is
what a 'normal' NT command line FTP does on
Oracles site(snoop from outside fw)
stayout-nic -> 206.204.55.43 FTP C port=22749
206.204.55.43 -> stayout-nic FTP R port=22749
stayout-nic -> 206.204.55.43 FTP C port=22749
206.204.55.43 -> stayout-nic FTP R port=22749 220-Hello, Welcome t
stayout-nic -> 206.204.55.43 FTP C port=22749
206.204.55.43 -> stayout-nic FTP R port=22749 220-\r\n220-\r\n220 web5
stayout-nic -> 206.204.55.43 FTP C port=22749
stayout-nic -> 206.204.55.43 FTP C port=22749 USER anonymous\r\n
206.204.55.43 -> stayout-nic FTP R port=22749
206.204.55.43 -> stayout-nic FTP R port=22749 331 Guest login ok,
stayout-nic -> 206.204.55.43 FTP C port=22749
stayout-nic -> 206.204.55.43 FTP C port=22749 PASS [EMAIL PROTECTED]
206.204.55.43 -> stayout-nic FTP R port=22749 230 Anonymous login
stayout-nic -> 206.204.55.43 FTP C port=22749
stayout-nic -> 206.204.55.43 FTP C port=22749 PORT 208,240,15,3,89
206.204.55.43 -> stayout-nic FTP R port=22749 200 PORT command suc
stayout-nic -> 206.204.55.43 FTP C port=22749 NLST\r\n
206.204.55.43 -> stayout-nic FTP R port=22749
206.204.55.43 -> stayout-nic FTP R port=22749 425 Can't build data
stayout-nic -> 206.204.55.43 FTP C port=22749
But notice the difference when I ask IE to do this
with ftp://ftp.oracle.com
stayout-nic -> 206.204.55.43 FTP C port=23676
206.204.55.43 -> stayout-nic FTP R port=23676
stayout-nic -> 206.204.55.43 FTP C port=23676
206.204.55.43 -> stayout-nic FTP R port=23676 220-Hello, Welcome t
stayout-nic -> 206.204.55.43 FTP C port=23676
206.204.55.43 -> stayout-nic FTP R port=23676 220-\r\n220-\r\n220 web5
stayout-nic -> 206.204.55.43 FTP C port=23676 USER anonymous\r\n
206.204.55.43 -> stayout-nic FTP R port=23676
206.204.55.43 -> stayout-nic FTP R port=23676 331 Guest login ok,
stayout-nic -> 206.204.55.43 FTP C port=23676 PASS IEUser@\r\n
206.204.55.43 -> stayout-nic FTP R port=23676 230 Anonymous login
stayout-nic -> 206.204.55.43 FTP C port=23676 CWD /\r\n
206.204.55.43 -> stayout-nic FTP R port=23676 250 CWD command succ
stayout-nic -> 206.204.55.43 FTP C port=23676 TYPE A\r\n
206.204.55.43 -> stayout-nic FTP R port=23676 200 Type set to A.\r\n
stayout-nic -> 206.204.55.43 FTP C port=23676 PASV\r\n
206.204.55.43 -> stayout-nic FTP R port=23676 227 Entering Passive
stayout-nic -> 206.204.55.43 TCP D=45609 S=23693 Syn Seq=621723 Len=0
Win=8192
206.204.55.43 -> stayout-nic TCP D=23693 S=45609 Rst Ack=621724 Win=0
stayout-nic -> 206.204.55.43 FTP C port=23676
stayout-nic -> 206.204.55.43 TCP D=45609 S=23693 Syn Seq=621723 Len=0
Win=8192
206.204.55.43 -> stayout-nic TCP D=23693 S=45609 Rst Ack=621724 Win=0
stayout-nic -> 206.204.55.43 TCP D=45609 S=23693 Syn Seq=621723 Len=0
Win=8192
206.204.55.43 -> stayout-nic TCP D=23693 S=45609 Syn Ack=621724
Seq=760474867 Len=0 Win=6
4240
stayout-nic -> 206.204.55.43 TCP D=45609 S=23693 Ack=760474868
Seq=621724 Len=0 Win=8
760
stayout-nic -> 206.204.55.43 FTP C port=23676 LIST\r\n
206.204.55.43 -> stayout-nic FTP R port=23676 150 Opening ASCII mo
206.204.55.43 -> stayout-nic TCP D=23693 S=45609 Ack=621724
Seq=760474868 Len=256 Win
=64240
206.204.55.43 -> stayout-nic TCP D=23693 S=45609 Fin Ack=621724
Seq=760475124 Len=0 Win=6
4240
stayout-nic -> 206.204.55.43 TCP D=45609 S=23693 Ack=760475125
Seq=621724 Len=0 Win=8
504
stayout-nic -> 206.204.55.43 TCP D=45609 S=23693 Fin Ack=760475125
Seq=621724 Len=0 Win=8
504
206.204.55.43 -> stayout-nic TCP D=23693 S=45609 Ack=621725
Seq=760475125 Len=0 Win=6
4240
stayout-nic -> 206.204.55.43 FTP C port=23676
206.204.55.43 -> stayout-nic FTP R port=23676 226 Transfer complet
stayout-nic -> 206.204.55.43 FTP C port=23676
As for the others, they are not in passive mode.
HTH.
Robert
- -
Robert P. MacDonald, Network Engineer
e-Business Infrastructure
G o r d o n F o o d S e r v i c e
Voice: +1.616.261.7987 email: [EMAIL PROTECTED]
>>> Chilton Tim <[EMAIL PROTECTED]> 6/23/00 10:59:49 AM >>>
>
>I have a minor problem with FTP to certain sites, goes a little like this.
>
>ftp to ftp.compaq.com -- all OK, works via NT command line, WS_FTP, IE5
etc,
>this is the situation for *most* sites
>
>Certain sites like ftp.oracle.com don't work -- I can connect and log in
(as
>anonymous), get the welcome message but an "LS" command generates the
>following
>
>200 PORT command successful.
>425 Can't build data connection: No such file or directory.
>
>I also know it is firewall related since a workstation outside the firewall
>can connect properly.
>
>Firewall config is NT, FW1 4.1 and a CVP for FTP amongst other things.
>
>Anyone come across this - and for the high-score a solution to it :->
>
>Tim
************************************************************************
The information in this email is confidential and is intended solely
for the addressee(s).
Access to this email by anyone else is unauthorised. If you are not
an intended recipient, you must not read, use or disseminate the
information contained in the email.
Any views expressed in this message are those of the individual sender,
except where the sender specifically states them to be the views of
The Capital Markets Company.
http://www.capco.com
***********************************************************************
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
