Lance's TextBox

About Me       - Also see my RSS simple services site.
  Home  |   Contact  |   Syndication    |   Login
  510 Posts | 7 Stories | 379 Comments | 258 Trackbacks

News

Lance Robinson is a product manager and software developer in Durham, Chapel Hill, Raleigh, and surrounding areas. More about Lance.

 Subscribe Add to Technorati Favorites

 

 

 

 


 

 

Search My Blog:

 

 

Twitter












Tag Cloud


Archives

Post Categories

Blogs

Miscellanous

Noteworthy Stuff

Popular Posts

FTP SSL through a NAT Firewall
FTPS over a NAT Firewall is a problem, but there are solutions. First, an explanation of the problem: The reason why FTPS (and even FTP without SSL) is a problem with firewalls is that unlike most internet protocols, FTP requires two socket connections, not just one. The first connection, called the control connection, is the one where all of the commands and responses are exchanged between client and server. The second connection, called the data connection, is where all of the data is transferred (files and file listings). There are two ways to setup the data connection - active or passive. Active mode means that the data connection will be opened from the server to the client (the client will listen for an incoming connection from the server). Passive mode is just the opposite, the client will open the data connection on the server (the server will listen for an incoming connection from the client). Passive mode is recommended, especially for SSL connections.

A normal, unencrypted, passive FTP data connection gets configured and opened like so:

 

CLIENT-->SERVER: PASV 
SERVER-->CLIENT: 227 Ok, Entering Passive Mode (193,21,1,121,15,6)

The client sends the PASV command, and the server says "OK", and tells the client the ip address and port that he is listening to. The first four octets in the parenthesized response form the dotted ip address (193.21.1.121) and the last 2 form the port number (15*256 + 6) = 3846. At this point, the server is listening for an incoming data connection - and the client can go ahead and make that connection so that the two sides can begin transferring data.

When you throw a NAT (Network Address Translation) in the middle

 

CLIENT-->NAT-->SERVER:

you now have the following communication:

 

CLIENT-->NAT: PASV 
NAT-->SERVER: PASV 
SERVER-->NAT: 227 Ok, Entering Passive Mode (10,0,1,121,15,6) 
NAT-->CLIENT: 227 Ok, Entering Passive Mode (193,21,1,121,15,6)

As you can see, the NAT must spy on the servers response to the PASV command. The NAT sees that the server is listening on 10.0.1.121 port 3846. The server is of course on a private IP address that the client cannot reach. The NAT has the public IP address that the client is communicating with. So the NAT replaces the servers response with his own - telling the client to open the connection to HIS ip address and port. In turn of course, when the NAT receives a connection to that location, he will forward it on to the FTP servers IP and port.

Now throw in another complication: SSL. Now the NAT cannot spy on the PASV response, nor can he alter it. So the client would attempt to open the data connection on an IP address that was not accessible, since it is behind the firewall.

 

What is the solution?

There are several possible solutions you can explore:
  • Some FTP servers will allow you to specify an IP address (and port range) to use for passive mode connections. You'd set this to your public IP address.
  • Some FTP clients (including IPWorks components) can be smart enough to try the ip address specified by the server in the response to the PASV command, and it that fails, fall back to the same ip address that the initial connection was made to.  Though that is not always the desired behavior, you can accomplish this with the IPWorks FTP components by using the UseRemoteHostAddressForPassive config:

    Ftps1.Config("UseRemoteHostAddressForPassive=true");

    Note that the component will not do this automatically, for security reasons.

  • Some NATs will allow you to specify port ranges that will automatically forward to a specific location. If you can configure this port range to match the passive port range used by the FTP server - that may be a solution.

  • Another solution is to set your FTP server up to use the EPSV command (Extended Passive Mode). The EPSV command only sends the port - and the IP address is inferred to be the same as the IP address of the control connection. The IP*Works! FTPS control supports UseEPSV as a configuration option:

    Setting

    Ftps1.Config("UseEPSV=true")

    will add support for EPSV.
Updated 1/24/2008.
posted on Tuesday, August 23, 2005 9:45 AM

Feedback

# re: FTP SSL through a NAT Firewall 3/18/2007 2:19 AM Asim J
I like it, it is a very good explination

# re: FTP SSL through a NAT Firewall 11/27/2007 7:55 PM YF
It is easy to understand explanation. Thanks.

# re: FTP SSL through a NAT Firewall 3/19/2008 12:27 PM nasara
You make it easy!
Thx!

# re: FTP SSL through a NAT Firewall 8/1/2008 2:56 AM chris
Hi!

I've the described problem, but the client is behind NAT, not the server. Any solutions? Is this "bug" known? Active mode is working, PASV not. FTP w/ SSL is not working, FTP w/o SSL is okay.

# re: FTP SSL through a NAT Firewall 8/1/2008 10:21 AM chris
youre right server was behind a firewall

# re: FTP SSL through a NAT Firewall 10/18/2008 1:30 AM ravi
realy good explanation. With this solution it works when client is on home broadband connection. But when client is in office LAN (ofcourse with routers firewall etc), the FTP with SSL is not working (directory listing failed). just FTP works fine from LAN.

# re: FTP SSL through a NAT Firewall 11/3/2008 9:19 AM Jason
I spent serveral hours working on this issue.

My situation:
Office side:
FTP server behind PIX 506e firewall, ports 20, 21, 990, 45K-55K all open.

Client side A:
PC running custom FTP app through browser behind a Microsoft ISA 2004 server.

Client Side B:
PC running custom FTP app through browser behind a Linksys home router.


I found that I had NO issues at all with client side B. But Client side A (once a set of policies were created in the ISA to not block any outbound traffic) will not go beyond the PASV commands. It is acting like the FTP server is sending the Port information inside the encrypted area of the packets.

Unfortunately I did find further websites that say that FTPS does not work behind ISA 200, 2004, 2006 firewalls for clients or servers. This is a known issue, and claimed be be 'sorta by design' to ensure security.

I hope this bit of knowledge helps someone else some day.



# re: FTP SSL through a NAT Firewall 11/3/2008 9:47 AM Lance
Yes, the server definitely sends the port info inside the encrypted packets. EVERYTHING gets sent inside encrypted packets when you're talking about FTPS.

In the case of client side A, the server sends (inside the encrypted packets of the regular FTP control connection) the ip and port that the client should connect to for the data connection. There is no reason why this response to the PASV cmd would not be received...its just a regular part of the same connection. The problem comes next, when the client attempts to actually connect to the specified ip and port. The best thing to do here for troubleshooting is to use some client that has good output logging. Look and see exactly what ip and port the server is telling the client to connect to. This information could be bogus if the server is not configured correctly. Alternatively the port might not be one that is open on the firewall if the server is not configured correctly.

The website that you found that said FTP PASV will not work behind ISA was simply wrong.

A couple tips for debugging this:
1. When you find out the ip and port that the server sends in the reply to the PASV command, try to open a connection to that manually using the telnet cmd from the cmd line, ie: "C:\>telnet 1.2.3.4 12345"
2. Put a network sniffer on the server. You won't be able to read the encrypted data, of course, but you'll be able to see the tcp connection attempt coming in on the data connection port.

# re: FTP SSL through a NAT Firewall 11/4/2008 10:51 AM Jason
You are correct, I did misread the article.

Here it is for anyone interested.

http://blogs.isaserver.org/pouseele/2006/10/08/solving-the-secure-ftp-dilemma-with-isa-server-2004-and-2006/

# re: FTP SSL through a NAT Firewall 12/2/2008 10:15 AM jeff
All ftp servers should have the following option for each type of connection, the ability to provide the external wan address and/or a port range in the passive response.

That way firewalls that do nat translation on the ftp and modify the response from the internal address to the external address will work. The ftp server responds with the internal address and the firewall changes it to the external.. no problem with the connection.

In the ftp over ssl connection the passive response could be set on the ftp server to respond with the wan address for the nat, hardcoded in to the ftp server (or go the route that filezilla ftp server does and have an external entity detect the wan ip which is great for load balancing). This way, since the firewall cant see the traffic because its encrypted it works fine.

That would be the best way to handle the situtation. Leave the firewall vendors alone and make the ftp servers better. Filezilla has some of the best options in it because of the detection option. But, its still either one or the other in terms of the response it provides. It can either do internal or external. Through the majority of firewalls that I have worked with that means that either ftp over ssl passive will work or regular passive ftp will work.. not both.

The ftp server people need to get their act together. They are like the car companies.. throw a few more cup holders in the car and charge more.. but dont really make the product better.

# re: FTP SSL through a NAT Firewall 12/9/2008 6:55 PM dodger
Great site. My FTPS 425 'Can't open data connection' problem with FileZilla Server was that I needed to forward the defined custom port range for passive mode (50000-50100) to the server on the router.

Thanks for the clue.

# re: FTP SSL through a NAT Firewall 12/11/2008 5:07 PM David
Dodger,
I have the same issue with FileZilla Server. What exactly do you mean "forward the defined custom port range for passive mode (50000-50100) to the server on the router"? I have a PC functioning as the FTP server behind a firewall with a public IP NATd to the private IP of that PC.

# re: FTP SSL through a NAT Firewall 12/22/2008 9:21 AM Jason
I could be wrong, but I believe that he means that you have to create an always running rule that forwards all traffic (though you might be able to trim it down) that is incoming to the router on ports 50000-50100 to the internal FTP server.

Hope this helps.


# re: FTP SSL through a NAT Firewall 1/13/2009 10:19 PM Kevin Coe
Great Post! I am having the same issue with Gene6 FTP Server and Cisco ASA5510 router.
I am running FTPS over port 990.
I have already set up the NAT forward and I can make the connection, but when it hits a LIST command, it times out.
I will try the 50000-50100 forward and let u know.

# re: FTP SSL through a NAT Firewall 2/4/2009 2:38 AM wood
but I believe that he means that you have to create an always running rule that

# re: FTP SSL through a NAT Firewall 4/9/2009 2:25 PM DaveK
I have scoured the internet looking for info on a problem I am having and this site seems to be quit helpful.

Having some trouble with passive mode and FileZilla. Filezilla was working with active mode but suddenly stopped. Now get the dreaded "425 Can't open data connection." error. Tried passive mode and get the same.

Setup is as follows:
Filezilla FTP server on home pc behind a USR8054 router which has the necessary ports forwarded to the home pc's IP. I setup the server and client for passive mode using ports 6000-6050.

I think my router is at fault because of the following.
FTP Server (home pc behind USR8054 router):
> PASV
> 227 Entering Passive Mode (24,61,105,170,23,114)
> LIST
> 425 Can't open data connection.

FTP Client (from PC at work behind company router):
>Command: PASV
>Response: 227 Entering Passive Mode >(24,61,105,170,244,179)
>Command: LIST
>Response: 425 Can't open data connection.

The port number in the PASV strings appear different on the server and the client, 6002 & 62643. I have tried other port ranges, but the client string always has a port number in the 62K+ area.
I think this is my problem by not sure why it is happening. Is my home router at fault, or is there something else I have overlooked?



# re: FTP SSL through a NAT Firewall 4/9/2009 3:28 PM Lance Robinson
Hey Dave, I tried to email you but your server blocked it.

Hmm...well it could be that the SERVER is using port x, but the router is using port y.

client -> port y --> router --> port x --> server

Does your router give you the ability to see what ports it has open? If so that might tell you the answer you're looking for. Did the router change around the same time that FileZilla suddenly stopped working? Do you have the ability to use SSL? If so, that will prevent the router from being able to spy on the connection and it won't be able to change it - however that introduces other problems: you need to specify a passive port range on the server software, and you need to make sure those ports are open on your firewall.

# re: FTP SSL through a NAT Firewall 4/9/2009 5:28 PM DaveK
Thanks for the info Lance.
Unfortunately my router does not give me the ability to see what ports are open.
Are there any good tools out there readily available for this?
I tried SSL as you suggested, and now the port number in the PASV strings match in both the client and server, but I still get the 425 Can't open data connection error. I tried different ports, 50000-50005, 5000-5005, 6000-6005, updating the router to forward each appropriately, but still the same result.
One thing I noticed is that I had to use FTPES as the Servertype setting on the FileZilla client. Not sure if this matters, as the port info looks correct now.
The only other thing I can think has happened is my company's IT department has changed the router settings for the company internet connection and closed most of the ports.
Any other suggestions are greatly appreciated.
Thanks

# re: FTP SSL through a NAT Firewall 5/18/2009 9:27 AM Jason Zhao
Hi Lance,
We set up a ftp server in DMZ. And there is a f5 outside external firewall and responsible translate private ip address to public ip address.
The ftp server support to specify an ip address and port range when using passive ftp. But whether I specify the ip address to the public address or not, ftp ssl still does not work(ftp works). I found the ftp, ftp ssl works if client is in Intranet(need to pass through the internal firewall, but no f5 and nat).

And I use filezillar as client software, this software supports to connect to ftp server's external ip address. So maybe it's not because the address problem?

Any clue?

Thanks,
Jason

Post Feedback

Title:
Name:
Email: (never displayed)
Url:
Comments: