IIS FTP Server - Can log in, but can't do anything from outside

Author

Can log in, but can't do anything from outside

Dan Getz, Jr.

2005-11-30, 5:54 pm

Our public server (server1) is a Windows 2003 SBS server running IIS (but not
FTP) and the firewall/NAT in Routing and Remote Access. We've got a private
file server (server2) on the same domain running Windows 2003 server with IIS
(including FTP). We want to allow our outside workers to FTP files to a
section of the file server. Now, this was working at one point, I believe,
and it was probably a windows update that got installed that messed this up,
but I'm not sure.

From the local network or over VPN I can FTP to the private server using
server2.domain.com which gets mapped to a private IP address. I can log in
and list the files (dir).

From outside of the network, I can FTP to the private server using
server1.domain.com which gets mapped to the public IP address and forwarded
to the private address of server2. I can log in, but I can't send it any
commands such as dir. If I try using dir it won't list the files so I ctrl +
c to stop it and I get the following:

ftp> dir
200 PORT command successful.
150 Opening ASCII mode data connection for /bin/ls.
Aborting any active data connections...
425 Can't open data connection.

From what I've read, I assumed it was a firewall setting (I'm logging in as
a domain admin for testing), but that seems to be set correctly.

On server1 I have the following ports forwarding to server2: 20, 21, 5500,
5501, 5502, 5503, 5504, 5505

On server2 I have the following ports open: 20, 21, 5500, 5501, 5502, 5503,
5504, 5505

On server2, I have PassivePortRange="5500-5505"

Any ideas? I would love to have them just VPN in and put the files in the
directory but one doesn't need that much access and the other has VPN blocked
where he's working from.

Dan Getz, Jr.

2005-12-02, 2:51 am

From what I've read / can tell, it sounds like it could be a firewall issue
with Routing and Remote Access not sending the PASV command, but I'm not
sure. Any and all help is appreciated.

"Dan Getz, Jr." wrote:

> Our public server (server1) is a Windows 2003 SBS server running IIS (but not
> FTP) and the firewall/NAT in Routing and Remote Access. We've got a private
> file server (server2) on the same domain running Windows 2003 server with IIS
> (including FTP). We want to allow our outside workers to FTP files to a
> section of the file server. Now, this was working at one point, I believe,
> and it was probably a windows update that got installed that messed this up,
> but I'm not sure.
>
> From the local network or over VPN I can FTP to the private server using
> server2.domain.com which gets mapped to a private IP address. I can log in
> and list the files (dir).
>
> From outside of the network, I can FTP to the private server using
> server1.domain.com which gets mapped to the public IP address and forwarded
> to the private address of server2. I can log in, but I can't send it any
> commands such as dir. If I try using dir it won't list the files so I ctrl +
> c to stop it and I get the following:
>
> ftp> dir
> 200 PORT command successful.
> 150 Opening ASCII mode data connection for /bin/ls.
> Aborting any active data connections...
> 425 Can't open data connection.
>
> From what I've read, I assumed it was a firewall setting (I'm logging in as
> a domain admin for testing), but that seems to be set correctly.
>
> On server1 I have the following ports forwarding to server2: 20, 21, 5500,
> 5501, 5502, 5503, 5504, 5505
>
> On server2 I have the following ports open: 20, 21, 5500, 5501, 5502, 5503,
> 5504, 5505
>
> On server2, I have PassivePortRange="5500-5505"
>
> Any ideas? I would love to have them just VPN in and put the files in the
> directory but one doesn't need that much access and the other has VPN blocked
> where he's working from.

Bernard Cheah [MVP]

2005-12-20, 8:00 am

Could be. Now, you only have 5 available ports in the port range. try to
increase it...
you will get the same error if it runs out of port.

--
Regards,
Bernard Cheah
http://www.iis-resources.com/
http://www.iiswebcastseries.com/
http://www.msmvps.com/blogs/bernard/

"Dan Getz, Jr." <DanGetzJr@discussions.microsoft.com> wrote in message
news:D312799E-6ED0-4AD1-BF5B-FA9780842B66@microsoft.com...[vbcol=seagreen]
> From what I've read / can tell, it sounds like it could be a firewall
> issue
> with Routing and Remote Access not sending the PASV command, but I'm not
> sure. Any and all help is appreciated.
>
> "Dan Getz, Jr." wrote:
>

Dan Getz, Jr.

2005-12-20, 5:57 pm

thanks for responding. I was the only one (or at most one of three) that
would have been using FTP at that time. Turns out that it did work, but just
had to have long timeouts. We just got a T1 line and my coworker said that
it has been working much faster now.

Thanks.

"Bernard Cheah [MVP]" wrote:

> Could be. Now, you only have 5 available ports in the port range. try to
> increase it...
> you will get the same error if it runs out of port.
>
> --
> Regards,
> Bernard Cheah
> http://www.iis-resources.com/
> http://www.iiswebcastseries.com/
> http://www.msmvps.com/blogs/bernard/
>
>
> "Dan Getz, Jr." <DanGetzJr@discussions.microsoft.com> wrote in message
> news:D312799E-6ED0-4AD1-BF5B-FA9780842B66@microsoft.com...
>
>
>

Bernard Cheah [MVP]

2005-12-22, 2:58 am

Thanks for the update. it all depend on the ftp client app. it could have
multiple connection per ftp session, and hence it needs more ports.

--
Regards,
Bernard Cheah
http://www.iis-resources.com/
http://www.iiswebcastseries.com/
http://www.msmvps.com/blogs/bernard/

"Dan Getz, Jr." <DanGetzJr@discussions.microsoft.com> wrote in message
news:9FF3FEF0-FD38-4DC3-A962-E2F59706058F@microsoft.com...[vbcol=seagreen]
> thanks for responding. I was the only one (or at most one of three) that
> would have been using FTP at that time. Turns out that it did work, but
> just
> had to have long timeouts. We just got a T1 line and my coworker said
> that
> it has been working much faster now.
>
> Thanks.
>
> "Bernard Cheah [MVP]" wrote:
>