FTP SSL through a NAT Firewall

FTPS over a NAT Firewall is a problem, but there are solutions. First, an explanation of the problem: The reason why FTPS (and even FTP without SSL) is a problem with firewalls is that unlike most internet protocols, FTP requires two socket connections, not just one. The first connection, called the control connection, is the one where all of the commands and responses are exchanged between client and server. The second connection, called the data connection, is where all of the data is transferred (files and file listings). There are two ways to setup the data connection - active or passive. Active mode means that the data connection will be opened from the server to the client (the client will listen for an incoming connection from the server). Passive mode is just the opposite, the client will open the data connection on the server (the server will listen for an incoming connection from the client). Passive mode is recommended, especially for SSL connections.

A normal, unencrypted, passive FTP data connection gets configured and opened like so:

 

CLIENT-->SERVER: PASV 
SERVER-->CLIENT: 227 Ok, Entering Passive Mode (193,21,1,121,15,6)

The client sends the PASV command, and the server says "OK", and tells the client the ip address and port that he is listening to. The first four octets in the parenthesized response form the dotted ip address (193.21.1.121) and the last 2 form the port number (15*256 + 6) = 3846. At this point, the server is listening for an incoming data connection - and the client can go ahead and make that connection so that the two sides can begin transferring data.

When you throw a NAT (Network Address Translation) in the middle

 

CLIENT-->NAT-->SERVER: 

you now have the following communication:

 

CLIENT-->NAT: PASV 
NAT-->SERVER: PASV
SERVER-->NAT: 227 Ok, Entering Passive Mode (10,0,1,121,15,6)
NAT-->CLIENT: 227 Ok, Entering Passive Mode (193,21,1,121,15,6)

As you can see, the NAT must spy on the servers response to the PASV command. The NAT sees that the server is listening on 10.0.1.121 port 3846. The server is of course on a private IP address that the client cannot reach. The NAT has the public IP address that the client is communicating with. So the NAT replaces the servers response with his own - telling the client to open the connection to HIS ip address and port. In turn of course, when the NAT receives a connection to that location, he will forward it on to the FTP servers IP and port.

Now throw in another complication: SSL. Now the NAT cannot spy on the PASV response, nor can he alter it. So the client would attempt to open the data connection on an IP address that was not accessible, since it is behind the firewall.

 

What is the solution?

There are several possible solutions you can explore:
  • Some FTP servers will allow you to specify an IP address (and port range) to use for passive mode connections. You'd set this to your public IP address.
  • Some FTP clients (including IPWorks components) can be smart enough to try the ip address specified by the server in the response to the PASV command, and it that fails, fall back to the same ip address that the initial connection was made to.  Though that is not always the desired behavior, you can accomplish this with the IPWorks FTP components by using the UseRemoteHostAddressForPassive config:

    Ftps1.Config("UseRemoteHostAddressForPassive=true");

    Note that the component will not do this automatically, for security reasons.

  • Some NATs will allow you to specify port ranges that will automatically forward to a specific location. If you can configure this port range to match the passive port range used by the FTP server - that may be a solution.

  • Another solution is to set your FTP server up to use the EPSV command (Extended Passive Mode). The EPSV command only sends the port - and the IP address is inferred to be the same as the IP address of the control connection. The IP*Works! FTPS control supports UseEPSV as a configuration option:

    Setting

    Ftps1.Config("UseEPSV=true")

    will add support for EPSV.
Updated 1/24/2008.

Print | posted on Tuesday, August 23, 2005 9:45 AM

Feedback

# re: FTP SSL through a NAT Firewall

Left by Asim J at 3/18/2007 2:19 AM
Gravatar I like it, it is a very good explination

# re: FTP SSL through a NAT Firewall

Left by YF at 11/27/2007 7:55 PM
Gravatar It is easy to understand explanation. Thanks.

# re: FTP SSL through a NAT Firewall

Left by nasara at 3/19/2008 12:27 PM
Gravatar You make it easy!
Thx!

# re: FTP SSL through a NAT Firewall

Left by chris at 8/1/2008 2:56 AM
Gravatar Hi!

I've the described problem, but the client is behind NAT, not the server. Any solutions? Is this "bug" known? Active mode is working, PASV not. FTP w/ SSL is not working, FTP w/o SSL is okay.

# re: FTP SSL through a NAT Firewall

Left by chris at 8/1/2008 10:21 AM
Gravatar youre right server was behind a firewall

# re: FTP SSL through a NAT Firewall

Left by ravi at 10/18/2008 1:30 AM
Gravatar realy good explanation. With this solution it works when client is on home broadband connection. But when client is in office LAN (ofcourse with routers firewall etc), the FTP with SSL is not working (directory listing failed). just FTP works fine from LAN.

# re: FTP SSL through a NAT Firewall

Left by Lance at 11/3/2008 9:47 AM
Gravatar Yes, the server definitely sends the port info inside the encrypted packets. EVERYTHING gets sent inside encrypted packets when you're talking about FTPS.

In the case of client side A, the server sends (inside the encrypted packets of the regular FTP control connection) the ip and port that the client should connect to for the data connection. There is no reason why this response to the PASV cmd would not be received...its just a regular part of the same connection. The problem comes next, when the client attempts to actually connect to the specified ip and port. The best thing to do here for troubleshooting is to use some client that has good output logging. Look and see exactly what ip and port the server is telling the client to connect to. This information could be bogus if the server is not configured correctly. Alternatively the port might not be one that is open on the firewall if the server is not configured correctly.

The website that you found that said FTP PASV will not work behind ISA was simply wrong.

A couple tips for debugging this:
1. When you find out the ip and port that the server sends in the reply to the PASV command, try to open a connection to that manually using the telnet cmd from the cmd line, ie: "C:\>telnet 1.2.3.4 12345"
2. Put a network sniffer on the server. You won't be able to read the encrypted data, of course, but you'll be able to see the tcp connection attempt coming in on the data connection port.

# re: FTP SSL through a NAT Firewall

Left by dodger at 12/9/2008 6:55 PM
Gravatar Great site. My FTPS 425 'Can't open data connection' problem with FileZilla Server was that I needed to forward the defined custom port range for passive mode (50000-50100) to the server on the router.

Thanks for the clue.

# re: FTP SSL through a NAT Firewall

Left by David at 12/11/2008 5:07 PM
Gravatar Dodger,
I have the same issue with FileZilla Server. What exactly do you mean "forward the defined custom port range for passive mode (50000-50100) to the server on the router"? I have a PC functioning as the FTP server behind a firewall with a public IP NATd to the private IP of that PC.

# re: FTP SSL through a NAT Firewall

Left by Kevin Coe at 1/13/2009 10:19 PM
Gravatar Great Post! I am having the same issue with Gene6 FTP Server and Cisco ASA5510 router.
I am running FTPS over port 990.
I have already set up the NAT forward and I can make the connection, but when it hits a LIST command, it times out.
I will try the 50000-50100 forward and let u know.

# re: FTP SSL through a NAT Firewall

Left by wood at 2/4/2009 2:38 AM
Gravatar but I believe that he means that you have to create an always running rule that

# re: FTP SSL through a NAT Firewall

Left by DaveK at 4/9/2009 2:25 PM
Gravatar I have scoured the internet looking for info on a problem I am having and this site seems to be quit helpful.

Having some trouble with passive mode and FileZilla. Filezilla was working with active mode but suddenly stopped. Now get the dreaded "425 Can't open data connection." error. Tried passive mode and get the same.

Setup is as follows:
Filezilla FTP server on home pc behind a USR8054 router which has the necessary ports forwarded to the home pc's IP. I setup the server and client for passive mode using ports 6000-6050.

I think my router is at fault because of the following.
FTP Server (home pc behind USR8054 router):
> PASV
> 227 Entering Passive Mode (24,61,105,170,23,114)
> LIST
> 425 Can't open data connection.

FTP Client (from PC at work behind company router):
>Command: PASV
>Response: 227 Entering Passive Mode >(24,61,105,170,244,179)
>Command: LIST
>Response: 425 Can't open data connection.

The port number in the PASV strings appear different on the server and the client, 6002 & 62643. I have tried other port ranges, but the client string always has a port number in the 62K+ area.
I think this is my problem by not sure why it is happening. Is my home router at fault, or is there something else I have overlooked?

# re: FTP SSL through a NAT Firewall

Left by Lance Robinson at 4/9/2009 3:28 PM
Gravatar Hey Dave, I tried to email you but your server blocked it.

Hmm...well it could be that the SERVER is using port x, but the router is using port y.

client -> port y --> router --> port x --> server

Does your router give you the ability to see what ports it has open? If so that might tell you the answer you're looking for. Did the router change around the same time that FileZilla suddenly stopped working? Do you have the ability to use SSL? If so, that will prevent the router from being able to spy on the connection and it won't be able to change it - however that introduces other problems: you need to specify a passive port range on the server software, and you need to make sure those ports are open on your firewall.

# re: FTP SSL through a NAT Firewall

Left by DaveK at 4/9/2009 5:28 PM
Gravatar Thanks for the info Lance.
Unfortunately my router does not give me the ability to see what ports are open.
Are there any good tools out there readily available for this?
I tried SSL as you suggested, and now the port number in the PASV strings match in both the client and server, but I still get the 425 Can't open data connection error. I tried different ports, 50000-50005, 5000-5005, 6000-6005, updating the router to forward each appropriately, but still the same result.
One thing I noticed is that I had to use FTPES as the Servertype setting on the FileZilla client. Not sure if this matters, as the port info looks correct now.
The only other thing I can think has happened is my company's IT department has changed the router settings for the company internet connection and closed most of the ports.
Any other suggestions are greatly appreciated.
Thanks

# re: FTP SSL through a NAT Firewall

Left by Jason Zhao at 5/18/2009 9:27 AM
Gravatar Hi Lance,
We set up a ftp server in DMZ. And there is a f5 outside external firewall and responsible translate private ip address to public ip address.
The ftp server support to specify an ip address and port range when using passive ftp. But whether I specify the ip address to the public address or not, ftp ssl still does not work(ftp works). I found the ftp, ftp ssl works if client is in Intranet(need to pass through the internal firewall, but no f5 and nat).

And I use filezillar as client software, this software supports to connect to ftp server's external ip address. So maybe it's not because the address problem?

Any clue?

Thanks,
Jason

# re: FTP SSL through a NAT Firewall

Left by Anonymous at 3/4/2010 6:49 AM
Gravatar I have this Problem too, passive connection works without Auth-TLS encryption...

Server:
My FTP server is at home behind a NAT, FTP-Port 21 and passive port's are routed to the FTP server...

Client:
I'm connecting from my company, which is behind a firewall with outgoing port's blocked except 21.

If I connect to my server WITHOUT encryption, the server tells the NAT of my company the passive port which opens this one for outgoing connections. The NAT now tell the client the port which connects without any problems...

If I connect to my server WITH encryption, the server tells the NAT of my company the passive port but the NAT can't read it beacause it's encrypted and thats why the NAT doesn't open this outgoing port. Now the NAT sends this encrypted package to the client which CAN read it... Now if the client tries to connect it won't work because the NAT did not open the port earlier...

# re: FTP SSL through a NAT Firewall

Left by Hirakim at 9/7/2010 1:52 PM
Gravatar Thank you very much. Worked Great :)

# re: FTP SSL through a NAT Firewall

Left by wart removal products at 11/23/2010 2:45 AM
Gravatar Definitely a good post to read.

# re: FTP SSL through a NAT Firewall

Left by libya travel at 11/27/2010 3:19 AM
Gravatar Well written write-up. Glad I'm able to locate a site with some knowledge plus a great writing style. You keep publishing and i will continue to keep browsing.

# re: FTP SSL through a NAT Firewall

Left by lawyer internet marketing at 11/29/2010 12:02 AM
Gravatar No one will hate this wonderful blog, Thanks a lot for the share..........

# re: FTP SSL through a NAT Firewall

Left by First Birthday invitation at 12/3/2010 12:50 AM
Gravatar I always like your blog post because you always come with different ideas and information. I always shared your site post with my friends. Keep posting and i will follow you..

# re: FTP SSL through a NAT Firewall

Left by Kona Coffee prices at 12/4/2010 1:12 AM
Gravatar Interesting post for read, I like the work done by the blogger.....

# re: FTP SSL through a NAT Firewall

Left by print company at 12/6/2010 8:46 AM
Gravatar Wow interesting blogs

# Mrs

Left by Teflon Tubing at 12/11/2010 3:48 AM
Gravatar Good post,very informative article to read.

# re: FTP SSL through a NAT Firewall

Left by Yasuhiro Nakata at 1/11/2011 2:43 AM
Gravatar Excellent post. Thank you very much.

# re: FTP SSL through a NAT Firewall

Left by Joshua at 2/24/2011 6:56 PM
Gravatar I have read at least 10 other pages on this topic and you have made the most concise and understandable post to date. Your simplistic explanations were perfect. THANK YOU SO MUCH.
-joshua

# re: FTP error

Left by Gael from South of France at 3/7/2011 2:58 PM
Gravatar Hi there,
I am posting from France.
I have some questions about ftp in passive mode.
I am a beginner in ftp transfers and, I am involved in a problem that I am unable to solve alone. So please can you help me! Excuse my English which probably will make you laugh sometimes…

Here is the situation:
> 70 “slave” ftp clients around France are sending files at any moment to a hosted ftp server.
> 1 “master” ftp client, at the main site, is connecting to the server every minute to get the files sent by the slaves.
> At the main site, the files follow a specific process and the master ftp client returns them back to the server in a queue, waiting to be downloaded by the 70 slaves ftp clients.
All ftp transfers are using the passive ftp.

First question: Is that clear?

This workflow has some problems. I will try to explain now what I get with my log files from the master ftp client and ask my 2 first questions:

> When the master is trying to connect to the server, the server always selects the same socket for passive mode transfer:
…..
|> PASV
|< 227 Entering Passive Mode (x1,x1,x5,x9,254,79)
…..

Is it normal? I though that the server was supposed to choose a different socket for each transfer!

> When the master ftp client is trying to connect to the server the error message here under happens very often:

|> PASV
|< 425 Unable to listen, too many pending PASV requests from same client IP.

It looks like a limited number of simultaneous connections between the master and the server! Is there a limit for the number of connections at the same time on the socket?

Thank you for your help.

After that, I you are ok we can keep on with new questions.

Gael

# re: FTP SSL through a NAT Firewall

Left by m7ia at 3/22/2011 9:12 PM
Gravatar This was a very helpful post.

Why is it that PASV needs a specified port range? Why can't it just use the FTP server port?

# re: FTP SSL through a NAT Firewall

Left by Ken at 7/3/2011 1:59 PM
Gravatar Yeah, still a great post after so many years.

# re: FTP SSL through a NAT Firewall

Left by happy at 12/23/2011 9:03 AM
Gravatar Awesome post Lance. This solved my problem with automating uploads to a FTPS server that was giving me headaches.

# re: FTP SSL through a NAT Firewall

Left by Site explorer at 12/29/2011 6:30 AM
Gravatar Dear Admin, does firewall always affect ftp services?

# re: FTP SSL through a NAT Firewall

Left by el dorado hills solar at 1/21/2012 4:01 PM
Gravatar The server at my work had something similar like this happen. All of our IT guys in the area came out and everything was down for almost 24hours. I am glad you all got your situation resolved- blogs like these can help the average person roundtable ideas and exchange info from similar experiences.

# re: FTP SSL through a NAT Firewall

Left by Romantic Weekend Getaway Package at 2/3/2012 12:24 PM
Gravatar Still a great advice after so many years.

# re: FTP SSL through a NAT Firewall

Left by PAGG Stack at 2/3/2012 1:18 PM
Gravatar Excellent post. Thank you very much.

# re: FTP SSL through a NAT Firewall

Left by Kelvin at 2/6/2012 7:20 PM
Gravatar This is my kind of blog! I work with a santa clarita wrongful death attorney but a lot of my technical skills work well with concepts of computer programming like this one.

# re: FTP SSL through a NAT Firewall

Left by Kim Harigotzo at 4/2/2012 7:36 PM
Gravatar I need to get my blog on when I visit my vacation rental kauai next month... I am a geek with a part time blog ;)

# re: FTP SSL through a NAT Firewall

Left by chip conductors at 6/1/2012 4:51 PM
Gravatar The NAT Firewall is becoming weaker and less reliable so I have found. Has anyone else experienced this?

Your comment:





 
 

Copyright © Lance Robinson

Design by Bartosz Brzezinski

Design by Phil Haack Based On A Design By Bartosz Brzezinski