Discuss , our SFTP/FTP/FTPS/SCP server for Windows. Secure, fast and customizable!

PASV behind NAT

no avatar
User

Mic

PASV behind NAT

by Mic » Fri Feb 04, 2005 9:42 am

Dear support,

Am using edtFTPD as ftp server in our company, behind a firewall, and is
publishing the ftp site out through the NAT firewall. It all works nicely!
BUT, when switching to FTPS, things go wrong at the same point every
time. The auth handshake on port 21 is working fine, and then the PASV
command is issued, and right here, it is very visibly, that the PASV
command will always fail in a NAT environment.
In FTP mode the PASV command tries to set up the datachannel on the correct IP-address which is the PUBLIC address, and it works, but in FTPS mode the PASV command tries to use the private local IP behind the firewall, and then of course just times out, as there is no way to connect directly with an inside address. I have tried every combination given in the advice about using only one port, and the NAT firewall always work
on the commands but not on the datachannel, even if it is the same
port!
Would very much like if this could be fixed somehow, so I could use the datachannel to do FTPS. I must mention that I have no problems with FTPS when not going through NAT.
Is there a way to configure a solution to the FTPS PASV-NAT problem,
or is it simply my firewall that can not handle PASV on the datachannel?

Mic
no avatar
User

EDT Support

Posts

905

Joined

Mon Apr 26, 2004 3:03 pm

Re: PASV behind NAT

by EDT Support » Sat Feb 05, 2005 10:42 am

[NOTE ADDED March 2007]

Please refer to for an in-depth explanation of this problem.


[ORIGINAL POST FOLLOWS]

Hi Mic

The reason why it works in non-SSL mode is that your firewall actually intercepts the PASV command and temporarily configures the firewall to (1) open a port in the firewall for connections from the FTP client and (2) channel the incoming connection through to your server. It can't do this in SSL mode since the PASV command is encrypted. You can read more about this at .

For a possible solution to your problem look here: .

Hope that helps.

- Hans (EDT Support)
Last edited by EDT Support on Thu Mar 29, 2007 10:34 am, edited 1 time in total.
no avatar
User

Mic

Re: PASV behind NAT

by Mic » Mon Feb 07, 2005 9:57 am

Thnx support.

Got closer to a solution. Found this in the Indy project KB.
This is on the serverside:
"If you must use a FTP server using SSL behind a NAT, you should do the following:
1. Configure your NAT to forward a range ports to your server.
2. Specify that port range with PASVBoundPortMin and BoundPortMax properties.
3. Set the IP address given in PASV replies to your NAT's external Internet IP address using the OnPASVReply event but do not change the IP address for clients that are also on the internal network. "

Am I right to conclude that 1 and 2 can be done now, as it is?
I guess that you have implemented 2 as the passive... n n command?
But what about 3 - that is exactly what I want to try! How is the
OnPASVReply event implemented? And how can I configure the
PASV reply to be my firewalls external interface?
Very interested to make this work :)

Mic
no avatar
User

EDT Support

Posts

905

Joined

Mon Apr 26, 2004 3:03 pm

Re: PASV behind NAT

by EDT Support » Mon Feb 07, 2005 6:40 pm

no avatar
User

Mic

Re: PASV behind NAT

by Mic » Wed Feb 16, 2005 11:30 am


Who is online

Users browsing this forum: No registered users and 17 guests

Powered by phpBB ® | phpBB3 Style by KomiDesign
cron