IIS Server - FTP / Cisco / Passive mode Confusion / Clarification

Author

FTP / Cisco / Passive mode Confusion / Clarification

@Amp@@

2005-12-27, 6:06 pm

Can someone confirm or explain the following?

I no expert on the following but I believe I have identified an issue with
FTP and cisco devices.

Scenario from INSIDE the network:
----------------------------------
When I try to access FTP or Web address from inside to an inside address, it
does the following:

(1) Sends query to external DNS (ISP hosting our DNS) and forwards back
into our internal FTP /HTTP server. It basically routes it back in.

(2) Unsuccessful - explained previously on other postings that "you can not
go out and go back in" -- (My finding is that this is TRUE for Cisco
routers, but NOT devices like AdTran)

Scenario from OUTSIDE the network:
---------------------------------------
(1) Outside Client request FTP or HTTP to our internal servers

(2) HTTP server serves up pages just fine but FTP does not work - even
using PASSIVE mode.

Question:
----------

Is this a limitation on cisco IOS or FTP configuration?

Test confirmation:
------------------

As a test we removed ACL on router and it did NOT work until we use PASSIVE
mode. When we added ACL on the router, ACTIVE or PASSIVE mode FTP still
does not work.

We can see the connection come in on the FTP server, but it just never makes
out.

Can someone clarify this scenario?

As I stated earlier, the limitation on NOT being able to come back in or
have full NAT capabilities I found has been on cisco routers but not on
AdTran - from having identical setups between two clients' networks - only
difference is ROUTER (Cisco vs AdTran).

Thank you.

Bernard Cheah [MVP]

2005-12-28, 7:53 am

Specifically on ftp request. you need to know what port are being used.
Active mode - 21/20
Passive mode - 21/1024-5000
If the ports are blocked, the ftp request will failed.

In normal practice with ftp. it is recommended to test it with active mode
client. e.g. ftp.exe
Useful Kb.
Information About the IIS File Transmission Protocol (FTP) Service
http://support.microsoft.com/?id=283679

--
Regards,
Bernard Cheah
http://www.iis-resources.com/
http://www.iiswebcastseries.com/
http://msmvps.com/blogs/bernard/

"@Amp@@" <amplee@msn.com> wrote in message
news:utQ1IExCGHA.984@tk2msftngp13.phx.gbl...
> Can someone confirm or explain the following?
>
> I no expert on the following but I believe I have identified an issue with
> FTP and cisco devices.
>
> Scenario from INSIDE the network:
> ----------------------------------
> When I try to access FTP or Web address from inside to an inside address,
> it does the following:
>
> (1) Sends query to external DNS (ISP hosting our DNS) and forwards back
> into our internal FTP /HTTP server. It basically routes it back in.
>
> (2) Unsuccessful - explained previously on other postings that "you can
> not go out and go back in" -- (My finding is that this is TRUE for Cisco
> routers, but NOT devices like AdTran)
>
> Scenario from OUTSIDE the network:
> ---------------------------------------
> (1) Outside Client request FTP or HTTP to our internal servers
>
> (2) HTTP server serves up pages just fine but FTP does not work - even
> using PASSIVE mode.
>
> Question:
> ----------
>
> Is this a limitation on cisco IOS or FTP configuration?
>
> Test confirmation:
> ------------------
>
> As a test we removed ACL on router and it did NOT work until we use
> PASSIVE mode. When we added ACL on the router, ACTIVE or PASSIVE mode FTP
> still does not work.
>
> We can see the connection come in on the FTP server, but it just never
> makes out.
>
> Can someone clarify this scenario?
>
> As I stated earlier, the limitation on NOT being able to come back in or
> have full NAT capabilities I found has been on cisco routers but not on
> AdTran - from having identical setups between two clients' networks - only
> difference is ROUTER (Cisco vs AdTran).
>
>
> Thank you.
>
>