IIS FTP Server setup behind a router firewall?

[Alan]

I have been using a the FTP server running on Windows XP Professional with a
static IP for years with no trouble.
I have recently added a router as a firewall and port forwarded port 80 for
the web server no problem there and port 20 & 21 for the FTP server. I don't
think I have all of the necessary ports open to allow file transfers. I keep
getting permission errors. You can get a connection but transfers fail. Has
anyone set this up before without opening so many ports that the firewall is
useless. Is the version of IIS released with Windows XP Professional capable
of assigning ports for these transfers I understand you need 2 ports per
connection. Any help with this problem would be appreciated.

 

[John Wunderlich]

I have been using a the FTP server running on Windows XP
Professional with a static IP for years with no trouble.
I have recently added a router as a firewall and port forwarded
port 80 for the web server no problem there and port 20 & 21 for
the FTP server. I don't think I have all of the necessary ports
open to allow file transfers. I keep getting permission errors.
You can get a connection but transfers fail. Has anyone set this
up before without opening so many ports that the firewall is
useless. Is the version of IIS released with Windows XP
Professional capable of assigning ports for these transfers I
understand you need 2 ports per connection. Any help with this
problem would be appreciated.

Strictly speaking, if a FTP _server_ is behind a NAT router, then only
active mode FTP should work. If a FTP _client_ is behind a NAT router,
then only Passive mode FTP should work. If both are behind NAT
routers, then FTP won't work. This is irrespective of port forwarding.

The reason for this is that when it comes time to establish the data
connection, depending on active or passive mode one side will tell the
other to "connect to me at the following IP address and Port". Because
they are behind a NAT router, the IP address they think they have is a
non internet-routable address like 192.168.1.x. and they tell the other
side to connect to this 192.168.x.x address which the other side simply
can't do -- and the connection fails.

Some FTP clients realize this limitation and provide work-arounds to
get FTP to work by ignoring the IP address it is told to use and
instead use the IP address of the original connection. "Filezilla",
for example, has a setting for passive mode that reads: "Some
misconfigured remote servers which are behind a router may reply with
their local IP address:
o Use the server's external IP address instead."

I'm not familiar with the server you're using, but check to see if it
has a setting for you to provide an external IP address for
establishing data connections in passive mode. This can get dicey if
your external IP address changes.

HTH,
John