This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

FTP from inside to ftp some ftp sites

Hi,
I have a very interesting problem.  I am working with ASL 3.210.  The rules on the firewall is to
LAN/ANY -> Any - Allow
With this in place, users can browse, connect via telnet to outside systems etc.

With FTP however it is different.  Users are unable to connect to some sites.  We cannot a connection closed by remote host.  From outside the firewall, the connection works fine.  The sites in question require authentication but the users never get the message to login

Using the browser ftp://same side, you finally get a login message after a very long time.  The user is then able to log on to the site

I would greatly appreciate any help in resolving this issue.

NB I a currently sitting behind a checkpoint firewall and I am able to connect to the same ftp site without a problem

Thanks

This thread was automatically locked due to age.

Parents

0 Simon Shaw over 22 years ago

Try checking here:
http://www.astaro.org/ubb/ultimatebb.php?ubb=get_topic;f=6;t=000876
Cancel
Vote Up 0 Vote Down

Cancel
0 sysalli over 22 years ago in reply to Simon Shaw

Read the document but it did not help me. I still cannot figure out why I cannot connect to a site from within the network. Remember that it takes for ever to get a connection closed by remote host when trying from a DOS prompt. but from a browser, though it takes just as long, I do get a login window. I tried another site and could connect from a DOS prompt. The reply was immediate. So what is the difference?

Once again, the rules are? Lan --> any all services, allow.

I am using a private address range on the inside using Masquerading on the fire wall

Outside (146.XXX.XXX.XXX) internal (10.0.0.X)

Thanks in advance for any help
Cancel
Vote Up 0 Vote Down

Cancel
0 sysalli over 22 years ago in reply to sysalli

Could this be because I am redirecting some of the services (ports) on the external interface to other servers on the network?
eg
External interface (DNS 53) to internal server A
External interface (ssh 22) to internal server B
External interface (telnet 23) to internal server C
external interface (http 80) to internal server D
external interface (https 443) to internal server E

Help please !!!!!!!!!!!!!

Thanks again in advance for any help
Cancel
Vote Up 0 Vote Down

Cancel
0 BQ_03 over 22 years ago in reply to sysalli

might be that the sites you can't access demands ident, is ident relay enabled?
Cancel
Vote Up 0 Vote Down

Cancel
0 Simon Shaw over 22 years ago in reply to BQ_03

Have you tried setting your ftp client to PASV mode ?
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Simon Shaw over 22 years ago in reply to BQ_03

Have you tried setting your ftp client to PASV mode ?
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 sysalli over 22 years ago in reply to Simon Shaw

Tried ident and tried running the ftp client in pasv mode. Did not make any difference.

What I am wondering is whether the IP used for masquerading should not be used for anything else.
So have a default IP for the external interface that is used for Masquerading and other IP addresses on the external interface that are used for all other NAT functions.

I would like to confirm this thought process

Thanks again for any help
Cancel
Vote Up 0 Vote Down

Cancel
0 sysalli over 22 years ago in reply to sysalli

I changed the external IP address of the firewall and gave the card a separate address used only for masquerading. It also has about 10 other secondary IP addresses for redirecting different kinds of traffic to different servers.

Still cannot ftp out to some servers on the internet.

Any ideas??????????
Cancel
Vote Up 0 Vote Down

Cancel