NAT + FTP = troubles?

I have two Windows Server 2003 web and FTP servers (IIS 6.0) behind a
Windows Server 2003 router, using RRAS with NAT. The private LAN is a the
class C 192.168.43.0/24, the addresses of the two servers are 192.168.43.11
and 192.168.43.20, the address of the RRAS server is 192.168.43.1; each of
the servers uses the RRAS server as the default gateway.
The RRAS server itself has two public IPs, X.Y.Z.137 and X.Y.Z.185; I want
to forward the HTTP and FTP services from the .137 IP to the first server,
and from the .185 IP to the second server.
I assigned .137 as the main address of the public interface of the server,
and then in the RRAS console specified .137 and .185 in the address pool; I
also created a reservation for .185 to the second server, without allowing
incoming connections. I also opened the right ports (80 and 21) for both
public IPs to the servers, so the mappings are as follows:

X.Y.Z.137:21 -> 192.168.43.11:21
X.Y.Z.137:80 -> 192.168.43.11:80
X.Y.Z.185:21 -> 192.168.43.20:21
X.Y.Z.185:80 -> 192.168.43.20:80

Everything works fine, except FTP to the second server. When I try
connecting from the outside, the connection is established and then sits
there for a while; before getting to the authentication phase, it dies. This
happens from the command-line FTP utility... when using IE, it reports that
the FTP session has been terminated.
HTTP for both servers and FTP for the first one work perfectly.

I really don't know what's going wrong, everything seems to be fine but it
dowsn't work... and I need these two servers up and running for tomorrow.
Can someone please help?

Massimo

Is there anything in your event logs? FTP logs?

"Massimo" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
> I have two Windows Server 2003 web and FTP servers (IIS 6.0) behind a
> Windows Server 2003 router, using RRAS with NAT. The private LAN is a the
> class C 192.168.43.0/24, the addresses of the two servers are
192.168.43.11
> and 192.168.43.20, the address of the RRAS server is 192.168.43.1; each of
> the servers uses the RRAS server as the default gateway.
> The RRAS server itself has two public IPs, X.Y.Z.137 and X.Y.Z.185; I want
> to forward the HTTP and FTP services from the .137 IP to the first server,
> and from the .185 IP to the second server.
> I assigned .137 as the main address of the public interface of the server,
> and then in the RRAS console specified .137 and .185 in the address pool;
I
> also created a reservation for .185 to the second server, without allowing
> incoming connections. I also opened the right ports (80 and 21) for both
> public IPs to the servers, so the mappings are as follows:
>
> X.Y.Z.137:21 -> 192.168.43.11:21
> X.Y.Z.137:80 -> 192.168.43.11:80
> X.Y.Z.185:21 -> 192.168.43.20:21
> X.Y.Z.185:80 -> 192.168.43.20:80
>
> Everything works fine, except FTP to the second server. When I try
> connecting from the outside, the connection is established and then sits
> there for a while; before getting to the authentication phase, it dies.
This
> happens from the command-line FTP utility... when using IE, it reports
that
> the FTP session has been terminated.
> HTTP for both servers and FTP for the first one work perfectly.
>
> I really don't know what's going wrong, everything seems to be fine but it
> dowsn't work... and I need these two servers up and running for tomorrow.
> Can someone please help?
>
> Massimo
>

"NetEng" <(E-Mail Removed)> ha scritto nel messaggio
news:(E-Mail Removed)

> Is there anything in your event logs? FTP logs?

Nothing.

Massimo

Classic ftp problem

FTP actually uses two ports
port 21 is the control port
and port 20 is the data transfer port

It sounds like you are only doing a simple NAT
So you should be able to just NAT that por
and things should work. A stateful firewall
(i.e. Cisco, Checkpoint, Linux/BSD) usually
totally messes up a NATed FTP setup

(Because you initiate traffic on one port but
return traffic is coming from a different port thu
the "statefulness" is broken.

Commercial firewalls typically have an "ftp fixup
option to deal with this.

More info than you wanted to know

Hope that help

If you open your

from the outside, can you telnet to port 21? This will tell us if we can get
to the box OK. Let's see if we can get a connection first and then we'll see
if it's an FTP problem or not.

"Massimo" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> "NetEng" <(E-Mail Removed)> ha scritto nel messaggio
> news:(E-Mail Removed)
>
> > Is there anything in your event logs? FTP logs?
>
> Nothing.
>
> Massimo
>

"NetEng" <(E-Mail Removed)> ha scritto nel messaggio
news:(E-Mail Removed)

> from the outside, can you telnet to port 21? This will tell us if we can
> get to the box OK. Let's see if we can get a connection first and then
> we'll see if it's an FTP problem or not.

Yes, the connection gets established correctly (as it is using the
command-line FTP client).

Massimo

"Skinny_White_Guy" <(E-Mail Removed)> ha scritto nel
messaggio news:5AFBB279-69A0-43D2-A152-(E-Mail Removed)

> FTP actually uses two ports.
> port 21 is the control port,
> and port 20 is the data transfer port.

Yes, I know.
I tried NATting port 20 also, but it didn't help.

> It sounds like you are only doing a simple NAT.
> So you should be able to just NAT that port
> and things should work. A stateful firewall
> (i.e. Cisco, Checkpoint, Linux/BSD) usually
> totally messes up a NATed FTP setup.
>
> (Because you initiate traffic on one port but
> return traffic is coming from a different port thus
> the "statefulness" is broken.)
>
> Commercial firewalls typically have an "ftp fixup"
> option to deal with this.

I discovered also a strange behaviour: the NAT works perfectly for .137 to
..11 OR from .185 to .20, if I enable only one of these forwardings; so the
problem is not IP-related... it only happens when using *two* FTP mappings
at once.

> If you open your

Sorry?

Massimo

Are you behind a stateful firewall? If so this is probably the issue
You can try running ftp in PASV mode
This will allow the client to initiate the data connection

Windows native ftp.exe will not do PASV mode
You will have to get some other commercial version
Most *nix clients support PASV mode
You can probably find some commercial versions like CuteFTP
or others that will do PASV. OR get a firewall that understand
the FTP protocol nuances better and supports stateful ftp
(i.e. Cisco, or Firewall-1

Hope that helps

Massimo-

I'm wondering if the server cant keep track of multiple NAT's with the same
port numbers. If you have a support contract, I'd try calling MS and see
what they say. As SWG said, a stateful firewall will be to handle this. I'll
look around and see if I can find anything.

"Massimo" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> "Skinny_White_Guy" <(E-Mail Removed)> ha scritto nel
> messaggio news:5AFBB279-69A0-43D2-A152-(E-Mail Removed)
>
> > FTP actually uses two ports.
> > port 21 is the control port,
> > and port 20 is the data transfer port.
>
> Yes, I know.
> I tried NATting port 20 also, but it didn't help.
>
> > It sounds like you are only doing a simple NAT.
> > So you should be able to just NAT that port
> > and things should work. A stateful firewall
> > (i.e. Cisco, Checkpoint, Linux/BSD) usually
> > totally messes up a NATed FTP setup.
> >
> > (Because you initiate traffic on one port but
> > return traffic is coming from a different port thus
> > the "statefulness" is broken.)
> >
> > Commercial firewalls typically have an "ftp fixup"
> > option to deal with this.
>
> I discovered also a strange behaviour: the NAT works perfectly for .137 to
> .11 OR from .185 to .20, if I enable only one of these forwardings; so the
> problem is not IP-related... it only happens when using *two* FTP mappings
> at once.
>
> > If you open your
>
> Sorry?
>
> Massimo
>

Looking around @ MS Support, it looks like Win2k NAT is pretty limited, they
suggest using ISA server for "advanced" security features.

"Massimo" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> "Skinny_White_Guy" <(E-Mail Removed)> ha scritto nel
> messaggio news:5AFBB279-69A0-43D2-A152-(E-Mail Removed)
>
> > FTP actually uses two ports.
> > port 21 is the control port,
> > and port 20 is the data transfer port.
>
> Yes, I know.
> I tried NATting port 20 also, but it didn't help.
>
> > It sounds like you are only doing a simple NAT.
> > So you should be able to just NAT that port
> > and things should work. A stateful firewall
> > (i.e. Cisco, Checkpoint, Linux/BSD) usually
> > totally messes up a NATed FTP setup.
> >
> > (Because you initiate traffic on one port but
> > return traffic is coming from a different port thus
> > the "statefulness" is broken.)
> >
> > Commercial firewalls typically have an "ftp fixup"
> > option to deal with this.
>
> I discovered also a strange behaviour: the NAT works perfectly for .137 to
> .11 OR from .185 to .20, if I enable only one of these forwardings; so the
> problem is not IP-related... it only happens when using *two* FTP mappings
> at once.
>
> > If you open your
>
> Sorry?
>
> Massimo
>