ftp and NAT

[Perry Diels]

Hello,

I need to make a connection to an FTP server, which is using port 1994, from
my PC which is behind a NAT server (XP-Pro)
When connecting to that FTP server from the NAT machine itsself it works OK,
but not from any machine which is behind it.
I suppose some ports need to be opened on the NAT server, correct me if I'm
wrong or if you have another idea!
Finally the question is, how to open those ports on the XP-PRO machine?


Thanks for your help,
Perry

BTW: Is the Universal PnP system not intended to open those ports
automatically between UPnP compatible OS'es?

 

[Bob Willard]

Hello,

I need to make a connection to an FTP server, which is using port 1994, from
my PC which is behind a NAT server (XP-Pro)
When connecting to that FTP server from the NAT machine itsself it works OK,
but not from any machine which is behind it.
I suppose some ports need to be opened on the NAT server, correct me if I'm
wrong or if you have another idea!
Finally the question is, how to open those ports on the XP-PRO machine?


Thanks for your help,
Perry

BTW: Is the Universal PnP system not intended to open those ports
automatically between UPnP compatible OS'es?

Try setting your FTP client app to use passive transfers. I don't
mean the app on the NAT server, but the app on the NAT server's client.

 

[Perry Diels]

Try setting your FTP client app to use passive transfers. I don't
mean the app on the NAT server, but the app on the NAT server's client.

Hello Bob thanks for your answer,

I forgot to specify, we have tried both ftp modes PASV (passive) and normal.
It didn't work unfortunately, the problems seems to be elsewhere.
And to be sure we tried different ftp client programs and also the Windows
XP IE FTP browser.
Any other ideas?
Thanks,
Perry

 

[Alun Jones [MS MVP]]

I need to make a connection to an FTP server, which is using port 1994, from
my PC which is behind a NAT server (XP-Pro)

Ports other than 21 are not going to be treated as FTP traffic. And the NAT
really needs to know that it's FTP traffic, and treat it accordingly. It
needs to change the content of the FTP server's response to the PASV command
(to change the IP address _and_ port that the server quotes), if the FTP
server is behind the NAT. If the FTP client is behind a NAT, the client's
NAT will need to change the contents of the PORT command - and it can't do
either of these changes unless it knows that port 1994 is being used to
carry FTP traffic.

BTW: Is the Universal PnP system not intended to open those ports
automatically between UPnP compatible OS'es?

No, it isn't intended to do that. It's intended to respond to applications'
requests to open ports. Maybe when the UPnP IGD definition includes the
ability to assign dynamic, rather than static, port entries, you'll see FTP
clients and servers using UPnP.

Alun.
~~~~

[Please don't email posters, if a Usenet response is appropriate.]

 

[Perry Diels]

Hello Alun, thanks for your answer,

Ports other than 21 are not going to be treated as FTP traffic. And the NAT
really needs to know that it's FTP traffic, and treat it accordingly. It
needs to change the content of the FTP server's response to the PASV command
(to change the IP address _and_ port that the server quotes), if the FTP
server is behind the NAT.

The ftp server is indeed also behind NAT (Windows Server 2003) Is it needed
to change anything on the server side?

If the FTP client is behind a NAT, the client's
NAT will need to change the contents of the PORT command - and it can't do
either of these changes unless it knows that port 1994 is being used to
carry FTP traffic.

That makes sense, but how to let the NAT (Windows XP built in) know that
port 1994 is going to be used for FTP traffic?
Is there a way to specify that?

Thanks,
Perry

 

[Alun Jones [MS MVP]]

The ftp server is indeed also behind NAT (Windows Server 2003) Is it needed
to change anything on the server side?

No - because the NAT will assign translations for ports and addresses, the
server should stay as it is, and the NAT should do all the translating of
commands and responses.

That makes sense, but how to let the NAT (Windows XP built in) know that
port 1994 is going to be used for FTP traffic?
Is there a way to specify that?

Not usually, no. In very expensive NAT systems, perhaps, yes. But in most
NAT systems, FTP is only expected on port 21. Ask your NAT provider if they
support operating the FTP ALG (Application Level Gateway) over any port
other than 21.

Alun.
~~~~

[Please don't email posters, if a Usenet response is appropriate.]

 

[Perry Diels]

That makes sense, but how to let the NAT (Windows XP built in) know that

Not usually, no. In very expensive NAT systems, perhaps, yes. But in most
NAT systems, FTP is only expected on port 21. Ask your NAT provider if they
support operating the FTP ALG (Application Level Gateway) over any port
other than 21.

I don't understand this..... the NAT is the Windows XP built-in Internet
Connection Sharing. I'm not aware of any specific provider for this. Can you
please explain.

Thanks again for your answer.

Best Regards,
Perry

 

[Mark Weinreb]

I don't understand this..... the NAT is the Windows XP built-in Internet
Connection Sharing. I'm not aware of any specific provider for this. Can you
please explain.

Thanks again for your answer.

Best Regards,
Perry

Your FTP program should have an option called either "Passive Mode" or
"PASSV". This tells the client to use the same port (21) for communication
both directions. Try setting this option and see if it helps.

 

[Perry Diels]

Hell Mark thanks for your answer,

Your FTP program should have an option called either "Passive Mode" or
"PASSV". This tells the client to use the same port (21) for communication
both directions. Try setting this option and see if it helps.

I have tried this but it doesn't help. The connection establishes, but no
further communication works (such as list or whatever). Hence we don't see
any directory listing.

Any other tips?

Best regards,
Perry

 

[Mark Weinreb]

Hell Mark thanks for your answer,


I have tried this but it doesn't help. The connection establishes, but no
further communication works (such as list or whatever). Hence we don't see
any directory listing.

Any other tips?

Best regards,
Perry

I didn't see the start of this thread, so I don't know what firewall (if
any) you're using. With Zone Alarm Pro, which I use on the machine that
connects to the internet, it's also necessary to add the FTP server to the
list of trusted sites. Otherwise Zone Alarm still blocks replies from the
FTP server - even when I'm connecting from one of the ICS clients. You may
need to try something similar if at all possible.

 

[Alun Jones [MS MVP]]

I don't understand this..... the NAT is the Windows XP built-in Internet
Connection Sharing. I'm not aware of any specific provider for this. Can you
please explain.

Then the provider would be Microsoft. They provided the NAT software. As
far as I know, you can't tell ICF to monitor ports other than 21 for FTP
traffic. Certainly when I went looking at the configuration, the port
settings were grayed out. You might be able to frob the registry, but I
didn't find any documentation to suggest that this would work, and I'm a
fiendish hacker who's tried that sort of thing before. I don't think you
can achieve what you're trying to do.

Alun.
~~~~

[Please don't email posters, if a Usenet response is appropriate.]

 

[Alun Jones [MS MVP]]

Your FTP program should have an option called either "Passive Mode" or
"PASSV". This tells the client to use the same port (21) for communication
both directions. Try setting this option and see if it helps.

PASV / Passive mode doesn't do what you assert.

When the client sends a PASV command, the server responds with a set of six
numbers. These six numbers are the IP address and port that the server
wants the client to connect to for transferring data. The port will not be
21, ever, because that's for FTP control traffic, not data.

The port that the server chooses will, by default, be in the range
1024-5000.

Alun.
~~~~

[Please don't email posters, if a Usenet response is appropriate.]