Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Publishing a FTP server through ISA 2004
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Publishing a FTP server through ISA 2004 - 12.Jan.2008 3:32:13 AM
|
|
|
rajthampi
Posts: 20
Joined: 19.Jan.2007
Status: offline
|
Hello guys,
First of all I apologize for posting the same question again (I forgot the node name where I exactly posted the question earlier)
Well my issue is like this. Earlier we had a PIX 515e hardware firewall and an internal FTP server published through it. Later we installed ISA 2004 (SP2) behind it from the day one FTP server access failed.
We had tried many ftp-clients with both PASV and Active Modes and although the user manages to get connected to ftp server, the dir command always hangs by "150 Opening ASCII mode data connection for /bin/ls." nothing is returned.
A close look at the monitoring on ISA server shown as an "Unidentified IP traffic" on various ports and "Denied connection"
Though I had spent last many days to find some reliable information about "Unidentified IP Traffic" caused by ftp traffic, yet to come across reliable information.
Any information on how to publish a ftp server through ISA 2004 would be highly appreciated.
_____________________________
If it is a door, it will open.
|
|
|
|
|
RE: Publishing a FTP server through ISA 2004 - 12.Jan.2008 10:49:12 AM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi rajthampi,
what do you mean with primary network?
To be sure we are talking about the same setup, here is a simple drawing:
quote:
[FTP Srv ] ----- [ISA] ----- [PIX] ----- Internet
(1) (2) (3)
I assume that you have a back-to-back firewall implementation with the ISA server as inner and the PIX as outer firewall. So, the ISA server has at least two interfaces, one on the internal network (1) and one on what the ISA considers as external network (2). The latter is the internal network seen by the PIX.
When you test from a client sitting on the network (1), the FTP should work because neither the ISA nor the PIX is in the path.
Now, does it work also when you test from a client connected to the network (2)?
HTH,
Stefaan
|
|
|
|
|
RE: Publishing a FTP server through ISA 2004 - 13.Jan.2008 12:17:23 AM
|
|
|
rajthampi
Posts: 20
Joined: 19.Jan.2007
Status: offline
|
Hi spouseele
quote:
(1) (2) (3)
192.168.10.2
[FTP Srv ] ----- [ISA] --------- [PIX] ----- Internet
192.168.10.10 172.16.30.2 172.16.30.1
172.16.30.3
172.16.30.4
Above is our network. ISA is configured to listen on 172.16.30.4 for FTP requests. Once after reading your last post, I added one computer to Network 2 and tried to access the FTP server which was partially successful as it listed the directories using internet explorer, and one level further listing failed (listing the files inside directories)
So I assume the clients can access FTP server from network 2 also...
(Now What? "Finding Nemo")
< Message edited by rajthampi -- 13.Jan.2008 12:20:28 AM >
_____________________________
If it is a door, it will open.
|
|
|
|
|
RE: Publishing a FTP server through ISA 2004 - 13.Jan.2008 11:41:33 AM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi rajthampi,
quote:
... tried to access the FTP server which was partially successful...
OK, so it doesn't work always and you have to find out if this is an ISA server or an FTP server issue.
Firstly, I strongly suggest you test with the standard Microsoft command line FTP client (supports only active mode) or the free FTP command line client MoveIt Freely from Standard Networks. The latter one supports active and passive mode as well as Secure FTP.
Secondly, install on ISA server either Microsoft's Network Monitor V3.1 tool available on the Microsoft Connect site (http://connect.microsoft.com) or Wireshark available on http://www.wireshark.org (former Ethereal).
Thirdly, repeat the test with an FTP client on the network (2) and make the folllowing info available for further analyzes:
- 'ipconfig /all' and 'route print' on ISA server
- 'ipconfig /all' and 'route print' on FTP server
- 'ipconfig /all' and 'route print' on FTP client
- the ISA logging
- the network monitor trace of the FTP session taken on the ISA internal *and* external interface.
Post here an URL where we can download that info or send me a private message if you feel that that information is too confidential.
HTH,
Stefaan
< Message edited by spouseele -- 13.Jan.2008 12:58:40 PM >
|
|
|
|
|
RE: Publishing a FTP server through ISA 2004 - 14.Jan.2008 5:55:32 AM
|
|
|
rajthampi
Posts: 20
Joined: 19.Jan.2007
Status: offline
|
Hi spouseele
Today I sent you the information asked by private messages to you. I hope the provided information is quite adequate for your inspection.
regards,
raj
_____________________________
If it is a door, it will open.
|
|
|
|
|
RE: Publishing a FTP server through ISA 2004 - 14.Jan.2008 2:32:05 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi rajthampi,
I see you have a network within a network scenario as explained in http://isaserver.org/articles/2004netinnet.html and http://isaserver.org/articles/2004isafirewallnetworks.html.
In that case the default gateway of SecureNAT clients belonging to the same subnet as the ISA internal interface should be the ISA internal interface, not the internal router. However you should configure on them also those persistent static routes for the other internal subnets as you have done on the ISA server.
Therefore, change the default gateway on the FTP server to the ISA internal interface and configure the proper persistent static routes.
Please, I did ask to test from network (2)! Also, why didn't you take a netmon trace? That's definitely a skill you should learn.
HTH,
Stefaan
|
|
|
|
|
RE: Publishing a FTP server through ISA 2004 - 15.Jan.2008 7:19:02 AM
|
|
|
rajthampi
Posts: 20
Joined: 19.Jan.2007
Status: offline
|
Hi Stefaan
I did take netmon on both internal and external interface of ISA. Just wondering how I could forward the data to you (.xls files)
Btw I had checked the logs myself (first time experience) and found that everything is working until FTP session opens "150 Opening ASCII mode data connection for /bin/ls."
Then both netmon tracks (internal and external) doesn't show any responses on FTP traffic and ISA monitoring log shows the same "Unidentified ip traffic" on different ports and the conncetion is denied (of course)
Please let me know how I can forward the log files to you..
Regards,
_____________________________
If it is a door, it will open.
|
|
|
|
|
RE: Publishing a FTP server through ISA 2004 - 15.Jan.2008 9:05:18 AM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi rajthampi,
did you implement the change I suggested in my previous response?
quote:
Therefore, change the default gateway on the FTP server to the ISA internal interface and configure the proper persistent static routes.
If so, what's the result?
As said before, the simplest way to give us the information is to post an URL where we can download that info, either within the topic or wthin a private message. Also, when asking for a netmon trace, give us the raw file, not an exported excerpt.
HTH,
Stefaan
< Message edited by spouseele -- 15.Jan.2008 9:07:25 AM >
|
|
|
|
|
RE: Publishing a FTP server through ISA 2004 - 15.Jan.2008 9:13:37 AM
|
|
|
rajthampi
Posts: 20
Joined: 19.Jan.2007
Status: offline
|
The changes I already made with the FTP server
1. Changed the default gateway of the FTP server to internal IP address of the ISA server, in my case 131.102.2.10
2. The persistent routes with ISA server are only indicating our internal networks, do I really have to add them with the FTP server also?
3. I will upload the data file with one our sites and forward you the link by private message by tomorrow.
regards
_____________________________
If it is a door, it will open.
|
|
|
|
|
RE: Publishing a FTP server through ISA 2004 - 15.Jan.2008 9:20:41 AM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi rajthampi,
1. OK, but did that solve the problem?
2. Yes, you should otherwise the other internal networks won't be able to connect to the FTP server.
3. OK, but make first a new test from network (2) with the changed FTP server config.
HTH,
Stefaan
|
|
|
|
|
RE: Publishing a FTP server through ISA 2004 - 15.Jan.2008 9:27:39 AM
|
|
|
rajthampi
Posts: 20
Joined: 19.Jan.2007
Status: offline
|
Sorry to ask you a dumb question now Stefaan
I would really appreciate if you would tell me what you exactly meant by network 2.
ISA has two interfaces.
The first one points to the internal network which is 131.102.2.0/24
and the second NIC is hooked up with the pix 515e and we have following ip addresses
172.16.30.1-> Pix 515e
172.16.30.2-6/24 configured with the WAN NIC ISA server
Do you mean I have to configure one client with 172.16.30.xxx IP address? If yes, what IP address I should use for the default gateway?
Regards,
_____________________________
If it is a door, it will open.
|
|
|
|
|
RE: Publishing a FTP server through ISA 2004 - 15.Jan.2008 9:48:44 AM
|
|
|
rajthampi
Posts: 20
Joined: 19.Jan.2007
Status: offline
|
Yes Stefaan
I already checked it after asking that "dumb" question. I was able to connect to the FTP server, and the FTP response stopped by "150 Opening ASCII mode data connection for /bin/ls."
By the way the all the internal IP addresses (131.102.2.0/24, 131.102.10.0/24...) all can access the FTP server without any troubles as we have already specified the networks with ISA server.
I think the problem lies somewhere while executing the FTP LIST command and ISA is not properly recongizing the right path to forward the response...
any thoughts?
_____________________________
If it is a door, it will open.
|
|
|
|
|
RE: Publishing a FTP server through ISA 2004 - 15.Jan.2008 10:06:09 AM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi rajthampi,
quote:
By the way the all the internal IP addresses (131.102.2.0/24, 131.102.10.0/24...) all can access the FTP server without any troubles as we have already specified the networks with ISA server.
Do you mean without those static routes on the FTP server but the default gateway of the FTP server set to the ISA internal interface? Hmm... that would be strange unless we are talking about an ISA 2000 server instead of an ISA 2004/2006.
As far as I can see, the problem is the fact that ISA doesn't consider the data connection as belonging to an FTP session. So, let's wait what the netmon trace will tell us.
HTH,
Stefaan
< Message edited by spouseele -- 15.Jan.2008 3:38:44 PM >
|
|
|
|
|
RE: Publishing a FTP server through ISA 2004 - 16.Jan.2008 2:40:31 AM
|
|
|
rajthampi
Posts: 20
Joined: 19.Jan.2007
Status: offline
|
Hi Stefaan
I forwarded the link to required information by a PM. Please review them and if possible let us know why the FTP traffic is blocking by ISA.
Regards,
_____________________________
If it is a door, it will open.
|
|
|
|
|
RE: Publishing a FTP server through ISA 2004 - 16.Jan.2008 8:33:42 AM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Rajesh,
here is some important info we need for analysing the netmon traces:
- ISA internal: IP = 131.102.2.10/24; MAC = 00-0F-FE-3F-4E-AE
- FTP server: IP = 131.102.2.224/24; MAC = 00-0D-88-B6-44-DA
- Internal router = 131.102.2.2; MAC = 00-04-C0-5B-D6-C0
Let's take a look at the netmon trace on the ISA internal interface and apply a display filter "ip.addr == 131.102.2.244" to focus on the traffic between the ISA and the FTP server.
The first remark is that there are still ICMP redirects. More specifically the internal router tells the ISA server that the FTP server should be directly contacted not through the router. The originating packet belongs to an RDP sessie from the FTP server to the ISA server (TCP poirt 3389).
Now, if we look at the FTP session than we see that the control connection is initiated from the ISA server to the FTP server *through* the internal router! Why? The responses from the FTP server are directly sent to the ISA server (look at the MAC addresses).
The FTP client negotiates with the PORT command TCP port 4980 (= 19 * 256 + 116) for the data connection. Therefore the FTP server initiates the data connection to the client (active mode FTP) on TCP port 4980. This is apparently dropped by the ISA server. The only cause I can think of is that this happens because the request and response layer-2 paths doesn't match (MAC addresses).
If we look now carefully to the ISA routing table we see the following entries:
131.102.2.0 255.255.255.0 131.102.2.10 131.102.2.10 10
131.102.2.0 255.255.255.0 131.102.2.2 131.102.2.10 1
So there is an active route entry with a metric of 1 telling the ISA server he must connect through the internal router for directly connected hosts (131.102.2.0/24). That's definitely wrong and should be corrected first!
BTW --- all hosts on the 131.102.2.0/24 subnet must use the ISA internal interface as default gateway and have the proper static routes for the other internal subnets. Therefore I prefer a configuration as outlined in my article How to Implement VPN Off-Subnet IP Addresses section "2. Network Design".
HTH,
Stefaan
|
|
|
|
|
RE: Publishing a FTP server through ISA 2004 - 16.Jan.2008 8:45:41 AM
|
|
|
rajthampi
Posts: 20
Joined: 19.Jan.2007
Status: offline
|
Thanks for your post Stefaan
Btw the RDP session was initiated from the FTP server by me only. The server room is kinda away from my office, so often I use RDP to access ISA and the netmon reports were generated while I was connected to ISA remotely.
Actually, the most confusing part of the entire ISA deployment is, we have many other servers published through ISA. For example our Citrix metaframe, VPN server, CRM server...just to name few.
No other published servers had the issues which we are facing with publishing this FTP server.
I will certainly look into the points you forwarded and keep you updated.
Once again I really appreciate your valued time you spent for me, I hope the conversation was useful for few others also, who are having same issues (I have seen exactly the same problem posted by somebody in velocity site)
Regards...
_____________________________
If it is a door, it will open.
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
