Re: [FW1] MS FTP behind NAT

[Alberto L�pez de Ochoa Llovet]

    I had a similar problems months ago....Behind a cluster of two fw-1, a ftp from a solaris to a outer microsoft ftp server was usually droped due to an ftp port command error. The solution I had to take afther a lot of headaches was to include in the rule ftp and ftp-data services.

    Regards

Glenn Mabbutt wrote:

 

Sorry, I meant to say that the "FTP-PASV" option was in fact checked on both firewalls (recall 1 worked, 1 doesn't), as is the "FTP-PORT" option on both firewalls.  There was some suggestions in previous postings that disabling those options made them work?? so I tried that on the firewall that doesn't work, but still no luck.  Any other ideas??

Thanks,
Glenn

-----Original Message-----
From: Reed Mohn, Anders [mailto:[EMAIL PROTECTED]]
Sent: Friday, June 29, 2001 4:00 AM
To: 'Glenn Mabbutt'; '[EMAIL PROTECTED]'
Subject: RE: [FW1] MS FTP behind NAT
 

There are multiple suggestions on solving such problems
in the list archives. ( www.securepoint.com <http://www.securepoint.com> ).

Try enabling passive-mode FTP on the FW.
(Under Policy->Properties)
 

Cheers,
Anders :)
 
 
 

-----Original Message-----
From: Glenn Mabbutt [mailto:[EMAIL PROTECTED]]
Sent: 28. juni 2001 00:23
To: '[EMAIL PROTECTED]'
Subject: [FW1] MS FTP behind NAT
 

I'm having a rather irritating problem:  someone behind one of our FW-1
firewalls has to use Microsoft's command-line FTP (from win98, win2k, and
winnt) as part of a batch script (I know it's junk, but the scripter won't
use anything else).  I tried it behind a different FW-1, and it worked.
Here is the common configuration between the 2 firewalls:

- FW-1 4.1 on NT sp 6a
- hosts are being NATted, the test PC's are statically mapped to valid IP's
(doing it without the static NAT gives a host of errors)

- ftp is enabled in the rulebase for outbound connections

Here's what's different between the 2 firewalls (firewall A functions
properly, firewall B does not):

- firewall A is running FW-1 service pack 2, firewall B is running FW-1
service pack 3

- SYNDefender is set to "none" on firewall A and is set to "passive gateway"
on firewall B

- under "logs and alerts" in Policy > Properties, "log established TCP
connections" is checked on firewall A and is unchecked on firewall B.

Those are the only differences I can find.  What happens when I try to
connect to an ftp server behind firewall B is that I can log in, but when I
try to do a directory listing or cd to a directory I get an error saying
"invalid port command" - no such error from behind firewall A.

Any suggestions??

thanks,
Glenn
 

================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

--
Alberto