Re: Passive Mode FTP

On Tue, 6 Aug 2002, Joe Lewis wrote:
>
>   Remote           Remote  Local
>   Address          Port    Port   Idle Time  State
>    66.xxx.yyy.zzz    21    6340   000:00:03  Established
>   192.168.254.121  1234    6341   000:00:01  SYN-sent
>
> For some reason, the AS/400 is trying to access address 192.168.254.121,
> which happens to be the Win2K private address on their side of thier
> Firewall/NAT.  Of course, the connection never completes and times out.
>
> Why is their private address come up and how can I get the PASV to
> complete?


The FTP protocol will negotiate an address & port to use for a file
transfer.  It does this by sending a "PORT" or "PASV" command. (depending
on whether you are using standard or passive mode)

For example, if the client sends PASV, the server will reply with:

227 Entering Passive Mode (192,168,254,121,4,210)

That response tells the client that it needs to make a connection to
the IP address 192.168.254.121 and on port 1234 (4 x 256 + 210 = 1234)

The problem is that the server thinks it's addr is 192.168.254.121,
but your system thinks it's addr is 66.xxx.yyy.zzz.  This is because NAT
is changing the IP addresses in the packet header, but is not checking
for the FTP-specific PORT or PASV commands.

Actually, I'm assuming it's NAT because you said "NAT" in your message.
It's either a NAT that doesn't understand the FTP protocol, or it's a
proxy that's proxying port 21, but doesn't understand the FTP protocol.
In either case, you'd have the same error.

If I'm correct in my diagnosis, then this isn't an AS/400 specific error.
It should happen with any FTP client that connects to that IP address,
likewise it won't only fail on PUT/GET but will also fail on LS or DIR
commands.

The specific fix will depend on their environment.   Either the NAT/proxy
is misconfigured, or it will need to be upgraded or something like that :)
They'll need to contact whomever set up the NAT/Proxy for details.

Good Luck!