Hello,

I have NW 6.5 SP7 FTP server running behind a BM3.8 SP5 NAT. The FTP
service is configured for secure connections only. I connect to this
from the private side and the public side as long as I'm using a public
address.

Meaning, if I establish a dialup connection I can connect straight
through NAT and the and the firewall to the FTP server on the private
side.

However, if I connected from the private side of another network using
the private address that goes through NAT back down through NAT of our
BM server we have issues.

The user gets authenticated but the client cannot list the directories.
Can and FTP client. I tried it from a few privately NAT'ed addresses
with the same results. Port 20 / 21 open each time.

Same results occur with secure mode turned off. Can FTP pass through
NAT twice ?

Thanks,


--
David_Parker
------------------------------------------------------------------------
David_Parker's Profile: http://forums.novell.com/member.php?userid=14423
View this thread: http://forums.novell.com/showthread.php?t=338757

David,

It appears that in the past few days you have not received a response to your
posting. That concerns us, and has triggered this automated reply.

Has your problem been resolved? If not, you might try one of the following options:

- Visit http://support.novell.com and search the knowledgebase and/or check all
the other self support options and support programs available.
- You could also try posting your message again. Make sure it is posted in the
correct newsgroup. (http://forums.novell.com)

Be sure to read the forum FAQ about what to expect in the way of responses:
http://support.novell.com/forums/faq_general.html

If this is a reply to a duplicate posting, please ignore and accept our apologies
and rest assured we will issue a stern reprimand to our posting bot.

Good luck!

Your Novell Product Support Forums Team
http://support.novell.com/forums/

In article <David_Parker.3dnn9z@no-mx.forums.novell.com>, David Parker
wrote:
> Same results occur with secure mode turned off. Can FTP pass through
> NAT twice ?
>
I think this might be an active/passive mode issue. Have you tried
both modes on the client? (Also try a test with IPFLT unloaded).

Craig Johnson
Novell Support Connection SysOp
*** For a current patch list, tips, handy files and books on
BorderManager, go to http://www.craigjconsulting.com ***

I suspect you are falling victim to a 'rock and a hard place'
combination of events that comes together when you use secure
connections in combination with private addresses that need to be
translated.

FTP data connections (used for directory listings and file transfers)
are separate TCP connections from the main "control" connection. To
establish an 'active' connection, the client side announces it's own
address and special port number it will listen on for that data
connection. Alternatively, to establish a 'passive' connection, the
client side asks the server to chose a port of it's own, then the server
announces back it's own Ip address and port number.

So depending on the type of data connection you are attempting, either
individual device may want to announce it's "private" ip address, and
this occurs in the data portion of the packet, not in the TCP header,
which you can imagine might cause a problem if you are relying on NAT.
However, most NAT implementations are very smart about FTP and they will
look inside the data portion of these types of FTP packets and translate
those IP addresses, as well.

The problem you run into when you add secure (SSL) FTP into the picture
is this: The data portion of the packet is now encrypted, and NAT
devices are not going to be able to recognize the data anymore, so they
can't watch if for private addresses which they need to translate. They
still translate the clear text TCP header fine, but the data portion
which contains these active/passive annoucements goes through
un-translated. They reach the other side, and then the other side tries
to connect to the private address of the first side.... which it
obviously can't.

Based on your description, I suspect your failing client is attempting
an active data connection, and if you switch to passive, it may start to
work. However, switching to passive can bring about the same problem on
the opposite side. In that case, I'd recommend you look at TID 3931251
for options about what to do to get the NetWare FTP server to only
announce a public address instead of a private one. For that matter,
some FTP clients can fake a public address in their active connection
also, so consult your FTP client doc and configuration as well.


--
dpartrid
------------------------------------------------------------------------
dpartrid's Profile: http://forums.novell.com/member.php?userid=18260
View this thread: http://forums.novell.com/showthread.php?t=338757