Re: Passive FTP problem

[Scott Klement <klemscot@xxxxxxxxxxxx>]

On Thu, 12 Jun 2003, Nathan Simpson wrote:
>
> We have opened up the port on the PIX and we can log in ok. but when we
> try to transfer it fails with:
> 227    Passive mode entered (172.xx,x,x,38,147) for client IP Address
> "172.yy.yy.y".
> Unable to setup for an active data connection to the server, reason code
> 5.
> 200    Using port 8338 at host 192.168.1.10
>

Are you allowing outgoing connections on all ports?  Or....?

You say "we have opened up the port"...  "the" port?  FTP uses many ports.
Which one did you open?

FTP uses port 21 for the "control connection".  In this connection, you
type commands to the server, and it gives back messages containing
information about the success/failure of the command you typed.

Data transfers (including transferring a file, or listing the contents
of a directory) are done on a separate port which is decided (based on
which ports are free) by the operating system when you initiat the
transfer.   Each time you do a transfer, it can potentially use a
different port.

With regular "active" FTP, the client sends a string containing an IP
address and a port number to the server, and the server connects back
to that port.  If a firewall in between blocks it, the connection fails.

With passive FTP, the server sends a string with the IP address and port
to the client.  The client then connects to that port.   This is better
for firewalls because you can just allow all OUTGOING connections as long
as the local port is 20, and restrict incoming connections.

I don't know if any of this helps you... but to me, it sounds like your
control connection is working, but the data transfer connections are
failing.   Maybe that'll get you looking in the right place...