NAT + FTP = troubles?

I have two Windows Server 2003 web and FTP servers (IIS 6.0) behind a
Windows Server 2003 router, using RRAS with NAT. The private LAN is a the
class C 192.168.43.0/24, the addresses of the two servers are 192.168.43.11
and 192.168.43.20, the address of the RRAS server is 192.168.43.1; each of
the servers uses the RRAS server as the default gateway.
The RRAS server itself has two public IPs, X.Y.Z.137 and X.Y.Z.185; I want
to forward the HTTP and FTP services from the .137 IP to the first server,
and from the .185 IP to the second server.
I assigned .137 as the main address of the public interface of the server,
and then in the RRAS console specified .137 and .185 in the address pool; I
also created a reservation for .185 to the second server, without allowing
incoming connections. I also opened the right ports (80 and 21) for both
public IPs to the servers, so the mappings are as follows:

X.Y.Z.137:21 -> 192.168.43.11:21
X.Y.Z.137:80 -> 192.168.43.11:80
X.Y.Z.185:21 -> 192.168.43.20:21
X.Y.Z.185:80 -> 192.168.43.20:80

Everything works fine, except FTP to the second server. When I try
connecting from the outside, the connection is established and then sits
there for a while; before getting to the authentication phase, it dies. This
happens from the command-line FTP utility... when using IE, it reports that
the FTP session has been terminated.
HTTP for both servers and FTP for the first one work perfectly.

I really don't know what's going wrong, everything seems to be fine but it
dowsn't work... and I need these two servers up and running for tomorrow.
Can someone please help?

Massimo

 

Is there anything in your event logs? FTP logs?

 

Nothing.

Massimo

 

Classic ftp problem

FTP actually uses two ports
port 21 is the control port
and port 20 is the data transfer port

It sounds like you are only doing a simple NAT
So you should be able to just NAT that por
and things should work. A stateful firewall
(i.e. Cisco, Checkpoint, Linux/BSD) usually
totally messes up a NATed FTP setup

(Because you initiate traffic on one port but
return traffic is coming from a different port thu
the "statefulness" is broken.

Commercial firewalls typically have an "ftp fixup
option to deal with this.

More info than you wanted to know

Hope that help

If you open your

 

from the outside, can you telnet to port 21? This will tell us if we can get
to the box OK. Let's see if we can get a connection first and then we'll see
if it's an FTP problem or not.

 

Yes, the connection gets established correctly (as it is using the
command-line FTP client).

Massimo

 

Yes, I know.
I tried NATting port 20 also, but it didn't help.

I discovered also a strange behaviour: the NAT works perfectly for .137 to
..11 OR from .185 to .20, if I enable only one of these forwardings; so the
problem is not IP-related... it only happens when using *two* FTP mappings
at once.

Sorry?

Massimo

 

Are you behind a stateful firewall? If so this is probably the issue
You can try running ftp in PASV mode
This will allow the client to initiate the data connection

Windows native ftp.exe will not do PASV mode
You will have to get some other commercial version
Most *nix clients support PASV mode
You can probably find some commercial versions like CuteFTP
or others that will do PASV. OR get a firewall that understand
the FTP protocol nuances better and supports stateful ftp
(i.e. Cisco, or Firewall-1

Hope that helps

 

Massimo-

I'm wondering if the server cant keep track of multiple NAT's with the same
port numbers. If you have a support contract, I'd try calling MS and see
what they say. As SWG said, a stateful firewall will be to handle this. I'll
look around and see if I can find anything.

 

Looking around @ MS Support, it looks like Win2k NAT is pretty limited, they
suggest using ISA server for "advanced" security features.

 

I'm using the Windows 2003 RRAS, as I said in the first post...

Massimo

 

It can, it's doing it perfectly with HTTP.
It just seems to have troubles with two FTP mappings together...

Massimo

 

Ok, but if it lets me map ports from public IPs to private ones, I'd like
this feature to work...
And this is 2003, anyway.

Massimo

 

Any tought about this?
FTP also work perfectly on the second IP, if I configure only that mapping;
the RRAS just seems not to be able to handle two port 21 mappings at once.

Massimo