• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

unable to access our ftp site held by our ISP

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2000 Firewall] >> Firewall Client >> unable to access our ftp site held by our ISP Page: [1]
Login
Message << Older Topic   Newer Topic >>
unable to access our ftp site held by our ISP - 29.Dec.2003 3:29:00 PM   
neilp157

 

Posts: 7
Joined: 28.Nov.2003
From: Altrincham
Status: offline
I am unable to access my ftp site (ftp.xyz.co.uk) which is held on my ISP's servers. I have clients setup as Web Proxy, Firewall and SecureNAT. Through ISA I can access any other FTP site (ftp.nai.com). Not going through ISA I can gain access to our site. Our domain name is the same internal as external, however I do have my own DNS servers for internal clients. Please advise as to how I can access ftp://ftp.xyz.co.uk through ISA.

Thanks in advance

Neil
Post #: 1
RE: unable to access our ftp site held by our ISP - 29.Dec.2003 8:04:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Neil,

I assume you already read my article http://www.isaserver.org/articles/How_the_FTP_protocol_Challenges_Firewall_Security.html ! [Wink]

Can you access the FTP site by IP-address instead of by FQDN?
What ISA client type and FTP client are you using for the FTP session?
Also, what's the ISA firewall log telling you? Do you see the FTP request in the ISA firewall log?

HTH,
Stefaan

(in reply to neilp157)
Post #: 2
RE: unable to access our ftp site held by our ISP - 31.Dec.2003 10:09:00 AM   
neilp157

 

Posts: 7
Joined: 28.Nov.2003
From: Altrincham
Status: offline
Hi Stefaan,

I have read your article and think I understand all of it.
I am unable to access the ftp site via IP address either.
Having tried all client types I am currently setup as SecureNAT, accessing an FTP site runs a firewall session.
Yes I see the request in the firewall log, it shows c-ip, c-agent date, time, s-computername, r-ip, r-port, time taken, all the stats look fine. It just keeps coming up with 'FTP folder error'
Thanks
[Frown]

(in reply to neilp157)
Post #: 3
RE: unable to access our ftp site held by our ISP - 31.Dec.2003 11:39:00 AM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Neil,

can you post an excerpt of the Firewall log? Just make sure you have all fields logged and that the log format is set to ISA format. Also, do you see some blocked packets in the IP packet log?

BTW --- what FTP client are you using? Did you already tried it with the standard Microsoft command line FTP client?

HTH,
Stefaan

(in reply to neilp157)
Post #: 4
RE: unable to access our ftp site held by our ISP - 31.Dec.2003 12:09:00 PM   
neilp157

 

Posts: 7
Joined: 28.Nov.2003
From: Altrincham
Status: offline
Hi Stefaan,

I have lots of blocked packets in the IP packet log, here are two lines of text taken from when I was trying on Monday(Hope you can dicifer it)

#Fields:
c-ip cs-username c-agent date time s-computername r-host r-ip r-port time-taken cs-bytes sc-bytes cs-protocol cs-transport s-operation sc-status sessionid connectionid
192.168.1.71 - - 2003-12-29 16:53:11 ALTVPN - 205.227.137.57 21 281484 132 1097 21 TCP Connect 20000 62 550
192.168.1.71 - - 2003-12-29 16:53:16 ALTVPN - 195.206.160.11 21 968 - - 21 TCP Connect 10061 62 570

I am trying to use my web browser, however from a command prompt I am unable to access the site either. What highlighted me to this was when I tried to use Macromedia Contribute to amend our web site and the connection method is FTP.

Regards
Neil

(in reply to neilp157)
Post #: 5
RE: unable to access our ftp site held by our ISP - 1.Jan.2004 10:17:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Neil,

the excerpt is from the firewall log. The first entry tells me that the request was from a SecureNAT client to the destination ftp.nai.com (205.227.137.57) and logs the tear down of the FTP control connection (TCP port 21) in a normal way (sc-status=20000). There was some data transfered during the session (cs-bytes and sc-bytes).

The second entry logs an unsuccesful (sc-status=10061) FTP control connection request from a SecureNAT client to the destination '195.206.160.11' (dimsum-11.totalweb.net.uk). The WinSock error code is 10061 and means 'Connection refused'. In other words, no connection could be made because the target computer actively refused it. Either there is no FTP server running on that host or the access to that destination is blocked by a firewall at the remote site.

HTH,
Stefaan

(in reply to neilp157)
Post #: 6
RE: unable to access our ftp site held by our ISP - 5.Jan.2004 2:26:00 PM   
neilp157

 

Posts: 7
Joined: 28.Nov.2003
From: Altrincham
Status: offline
Hi Stefaan,

Thanks for your reply - I have tried accessing '195.206.160.11' (dimsum-11.totalweb.net.uk our ftp site)from just a normal dialup connection using my same laptop which is usually sat behind ISA as a SecureNAT and am able to log on. Would this prove that there is no sort of Firewall at the remote site and that an ftp server is running there also. I have 'allowed everything' through ISA in my test area and that works, however I am unable to open certain ports to allow just what is needed to access ftp.premisesnet.co.uk. It is also odd that I am able to get to ftp.nai.com. Is it possible that DNS is an issue and that I need something adding or removing from my zone?
Regards

(in reply to neilp157)
Post #: 7
RE: unable to access our ftp site held by our ISP - 5.Jan.2004 9:59:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Neil,

I've just tried it from two different ISP's and each time I get a Winsock Error Code 10061! So, I bet there is something outside of ISA refusing the connection. You can easily prove it by taking a Network Monitor trace on the ISA external interface.

HTH,
Stefaan

(in reply to neilp157)
Post #: 8
RE: unable to access our ftp site held by our ISP - 6.Jan.2004 8:44:00 AM   
neilp157

 

Posts: 7
Joined: 28.Nov.2003
From: Altrincham
Status: offline
Hi Stefaan,

Thanks again for your response, I have installed Network Monitor on ISA this morning and chosen to monitor the external NIC. Excuse my ignorance but I'm not too sure what I'm looking for. The only differences are that when browsing for ftp.nai.com I get DNS as the protocol followed by 'Std Qry Resp' etc telling me what exactly is going on, seems OK. However when browsing for ftp.premisesnet.co.uk I get TCP as the protocol followed by 'Control Bits':
Is there anyway I can email you my captures?
Thanks in advance
Neil

(in reply to neilp157)
Post #: 9
RE: unable to access our ftp site held by our ISP - 6.Jan.2004 8:40:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Neil,

put the trace file in a zip and send the zip file to 'stefaan.pouseele@cevi.be'. I will post the result of my findings here.

HTH,
Stefaan

(in reply to neilp157)
Post #: 10
RE: unable to access our ftp site held by our ISP - 7.Jan.2004 9:28:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Neil,

take a look to frame 1 to 30 in the capture file! You will see the following returning sequence:

1) ISA server trying to setup (TCP SYN) a TCP connection to the destination on the FTP control channel (TCP port 21).

2) The destination rejecting (TCP RST) the connection request immediately.

This confirms clearly the Winsock Error Code 10061 you have seen before. So I think your best option is to contact the administrator of the destination to get that fixed.

HTH,
Stefaan

(in reply to neilp157)
Post #: 11
RE: unable to access our ftp site held by our ISP - 8.Jan.2004 12:23:00 PM   
neilp157

 

Posts: 7
Joined: 28.Nov.2003
From: Altrincham
Status: offline
Stefaan,

Cheers for looking at those logs. I have spoken to the administrator of the company which hosts our FTP site, it seems that they have no trace in their log files of me even trying to connect to their server. Is there anything in ISA such as LDT or LAT which could be stopping this request going out? It seems to me now that the request is looking for something other than the server outside of my domain. FYI - I also have my client set to PASV.
Cheers

(in reply to neilp157)
Post #: 12
RE: unable to access our ftp site held by our ISP - 8.Jan.2004 4:26:00 PM   
neilp157

 

Posts: 7
Joined: 28.Nov.2003
From: Altrincham
Status: offline
Stefaan,

Its fixed!
After inheriting the network a while ago our DNS entry was using an IP address which was wrong, either that our our ISP have changed their server. Anyway I changed our DNS entry and released my IP and then renewed - hey presto it worked. Feel a bit of a plank wasting your time, although in all fairness its made me realise that things are not always as complicated as they seem.

Thanks very much for your support - really appreciate your time.
Neil

(in reply to neilp157)
Post #: 13
RE: unable to access our ftp site held by our ISP - 8.Jan.2004 9:34:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Neil,

good to hear you have it working and thanks for the follow up! [Smile]

Stefaan

(in reply to neilp157)
Post #: 14

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2000 Firewall] >> Firewall Client >> unable to access our ftp site held by our ISP Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts