[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW1] FTP Problem with double NAT
Hi everyone, We're currently implementing a security configuration at one of our customers. The design looks like this: Router ---- Firewall-1 ---- DMZ ---- Linux Firewall ---- Internal network The Linux Firewall hides the Internal Network behind a private address (his DMZ interface address). Firewall-1 in his turn only accepts packets from the Linux firewall to go outside. Hence, Firewall-1 performs static NAT on the private address of the Linux Firewall. Now here's my problem: clients on the inside network are unable to set up a valid FTP connection to the outside. In the Firewall-1 log there are the following entry's: source dest s_port track service comment ..xxx.xxx xxx.xxx.xxx.xxx 60104 allowed ftp xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx 60102 reject ftp reason: tried to open other port on host When I try to establish a connection via the DOS-prompt, I can login to the server, but when then try to do a dir or ls, the connection breaks. In my opinion the following happens: Establishing the ftp control connection (port 21) works fine: the Linux Firewall hides the address behind his address and opens a port for the connection (e.g. 60104). From the moment I try to open the ftp data connection (port 20), the linux firewall sees this as a new connection and assigns another port to it (e.g. 60102). Am not sure about this. Does, in a normal client-server ftp connection, the client use the same port for both the control and the data connection? More specific, does the client once the control connection is finished, open a data connection using the same port (e.g. 60104). Am I missing some big thing here? Did anyone have the same problem? Any help would be greatly appreciated. Thanks in advance, TiM De Boeck System Engineer (CCSA, CCSE) Econocom Services ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|