NAT + FTP = troubles?

Discussion in 'Server Networking' started by Massimo, May 17, 2004.

  1. Massimo

    Massimo Guest

    I have two Windows Server 2003 web and FTP servers (IIS 6.0) behind a
    Windows Server 2003 router, using RRAS with NAT. The private LAN is a the
    class C, the addresses of the two servers are
    and, the address of the RRAS server is; each of
    the servers uses the RRAS server as the default gateway.
    The RRAS server itself has two public IPs, X.Y.Z.137 and X.Y.Z.185; I want
    to forward the HTTP and FTP services from the .137 IP to the first server,
    and from the .185 IP to the second server.
    I assigned .137 as the main address of the public interface of the server,
    and then in the RRAS console specified .137 and .185 in the address pool; I
    also created a reservation for .185 to the second server, without allowing
    incoming connections. I also opened the right ports (80 and 21) for both
    public IPs to the servers, so the mappings are as follows:

    X.Y.Z.137:21 ->
    X.Y.Z.137:80 ->
    X.Y.Z.185:21 ->
    X.Y.Z.185:80 ->

    Everything works fine, except FTP to the second server. When I try
    connecting from the outside, the connection is established and then sits
    there for a while; before getting to the authentication phase, it dies. This
    happens from the command-line FTP utility... when using IE, it reports that
    the FTP session has been terminated.
    HTTP for both servers and FTP for the first one work perfectly.

    I really don't know what's going wrong, everything seems to be fine but it
    dowsn't work... and I need these two servers up and running for tomorrow.
    Can someone please help?

    Massimo, May 17, 2004
    1. Advertisements

  2. Massimo

    NetEng Guest

    Is there anything in your event logs? FTP logs?
    NetEng, May 17, 2004
    1. Advertisements

  3. Massimo

    Massimo Guest


    Massimo, May 17, 2004
  4. Classic ftp problem

    FTP actually uses two ports
    port 21 is the control port
    and port 20 is the data transfer port

    It sounds like you are only doing a simple NAT
    So you should be able to just NAT that por
    and things should work. A stateful firewall
    (i.e. Cisco, Checkpoint, Linux/BSD) usually
    totally messes up a NATed FTP setup

    (Because you initiate traffic on one port but
    return traffic is coming from a different port thu
    the "statefulness" is broken.

    Commercial firewalls typically have an "ftp fixup
    option to deal with this.

    More info than you wanted to know

    Hope that help

    If you open your
    Skinny_White_Guy, May 18, 2004
  5. Massimo

    NetEng Guest

    from the outside, can you telnet to port 21? This will tell us if we can get
    to the box OK. Let's see if we can get a connection first and then we'll see
    if it's an FTP problem or not.
    NetEng, May 18, 2004
  6. Massimo

    Massimo Guest

    Yes, the connection gets established correctly (as it is using the
    command-line FTP client).

    Massimo, May 18, 2004
  7. Massimo

    Massimo Guest

    Yes, I know.
    I tried NATting port 20 also, but it didn't help.
    I discovered also a strange behaviour: the NAT works perfectly for .137 to
    ..11 OR from .185 to .20, if I enable only one of these forwardings; so the
    problem is not IP-related... it only happens when using *two* FTP mappings
    at once.

    Massimo, May 18, 2004
  8. Are you behind a stateful firewall? If so this is probably the issue
    You can try running ftp in PASV mode
    This will allow the client to initiate the data connection

    Windows native ftp.exe will not do PASV mode
    You will have to get some other commercial version
    Most *nix clients support PASV mode
    You can probably find some commercial versions like CuteFTP
    or others that will do PASV. OR get a firewall that understand
    the FTP protocol nuances better and supports stateful ftp
    (i.e. Cisco, or Firewall-1

    Hope that helps
    Skinny_White_Guy, May 19, 2004
  9. Massimo

    NetEng Guest


    I'm wondering if the server cant keep track of multiple NAT's with the same
    port numbers. If you have a support contract, I'd try calling MS and see
    what they say. As SWG said, a stateful firewall will be to handle this. I'll
    look around and see if I can find anything.
    NetEng, May 19, 2004
  10. Massimo

    NetEng Guest

    Looking around @ MS Support, it looks like Win2k NAT is pretty limited, they
    suggest using ISA server for "advanced" security features.
    NetEng, May 19, 2004
  11. Massimo

    Massimo Guest

    I'm using the Windows 2003 RRAS, as I said in the first post...

    Massimo, May 19, 2004
  12. Massimo

    Massimo Guest

    It can, it's doing it perfectly with HTTP.
    It just seems to have troubles with two FTP mappings together...

    Massimo, May 19, 2004
  13. Massimo

    Massimo Guest

    Ok, but if it lets me map ports from public IPs to private ones, I'd like
    this feature to work...
    And this is 2003, anyway.

    Massimo, May 19, 2004
  14. Massimo

    Massimo Guest

    Any tought about this?
    FTP also work perfectly on the second IP, if I configure only that mapping;
    the RRAS just seems not to be able to handle two port 21 mappings at once.

    Massimo, May 23, 2004
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.