We are having an issue with our FTP site, which is located behind a
BorderManager firewall using NAT.

A few users, but certainly not all users, receive this error when trying
to access our FTP server.

Error: Connection timed out
Error: Failed to retrieve directory listing

Most users connect just fine. No errors.

I have tried to connect from home to our FTP server. No problem. But, if
I connect to the FTP server through our Guest DMZ that provides internet
access to guests in our building via a Cisco Pix, I also get the error
messages. Strange thing is... when the error occurs, the FTP server
seems to be answering the FTP commands by providing the PRIVATE IP address
and not the PUBLIC IP address. Thus, the traffic is dropped at the
firewall. The FTP server accepts the password and the login name, but
fails when trying to provide the directory listing of the FTP site to the
client.

I have Static and Dynamic Mode turned on for NAT.

Any ideas what would cause this ?

The FTP server is not the same server as the BorderManager server.

Here is a sample of a failed connection.

10.x.x.x is the private IP of our FTP server (manually masked out)

Status: Connecting to 12.x.x.x ...
Status: Connected with 12.x.x.x. Waiting for welcome message...
Response: 220 Service Ready for new User
Command: USER greenman
Response: 331 Password Needed for Login
Command: PASS *************
Response: 230 User greensman Logged in Successfully
Command: SYST
Response: 215 NETWARE Type: L8
Command: FEAT
Response: 500 'FEAT' : Unknown Command
Status: Connected
Status: Retrieving directory listing...
Command: PWD
Response: 257 "/" is Current Directory
Command: TYPE A
Response: 200 TYPE Command OK A
Command: PASV
Response: 227 Entering Passive Mode (10,x,x,x,6,34)
Command: LIST
Response: 150 Opening data connection for (10.x.x.x,1570)

Here is a log of a working connection:


Response: 220 Service Ready for new User
Command: USER greenman
Response: 331 Password Needed for Login
Command: PASS *************
Response: 230 User greensman Logged in Successfully
Command: SYST
Response: 215 NETWARE Type: L8
Command: FEAT
Response: 500 'FEAT' : Unknown Command
Status: Connected
Status: Retrieving directory listing...
Command: PWD
Response: 257 "/" is Current Directory
Command: TYPE A
Response: 200 TYPE Command OK A
Command: PORT 192,168,x,x,5,112
Response: 200 PORT Command OK
Command: LIST
Response: 150 Opening data connection for (24.255.xx.xx,41346)
Response: 226 Transfer Complete
Status: Directory listing successful