# Solved: FTP external access



## Kelveeno (May 1, 2009)

External clients cannot access FTP server, they are stuck at the login screen. users enter their login info and login window keeps popping back up, essentially users ar stuck at login. ftp://ip-address:4040 is the address they use. Internal FTP access works for everyone. How can i get users login to ftp from external location?

router setup: Dynamic IP addressing through ISP. I verified before and after login attempts that the ip adress did not change. (Will go static IP once we move to new location). Ports 4040 and 4041 set to forward to FTP server

server setup: win 2003 server. anonymous ftp access disabled, users must login.


----------



## StumpedTechy (Jul 7, 2004)

Well the fact they are getting to the login means something is working now you just have to figure out what is broken.

Do you have a log from someone trying to connect externally and see what port the client is trying to get when its trying to log in?

What server are you using for FTP? I am betting the problem lies in how that is setup.

Dynamic vrs static IP on the ISP side does not matter except on initial connection but the fact they are getting the login prompt means it sees that.


----------



## Elvandil (Aug 1, 2003)

What ports are you using for login and which for data? Is the server configured to use a specific data port?


----------



## Kelveeno (May 1, 2009)

I'll have to check the logs on the server monday. I am using IIS on win server 2003, all updates are current. 

The server uses port 4040, i set this up using the setup wizard. This works OK for local network users, but anyone going through the router is blocked


----------



## StumpedTechy (Jul 7, 2004)

You don't have any types of software firewalls up that may be causing an issue do you?


----------



## Kelveeno (May 1, 2009)

I checked the logs and i dont see attempts from remote users, but i'm not sure. i turned on uernames and will try to generate log entries tonight when i get home.

There are no firewalls on my machine at home (running vista).

Clarification: the server is win 2003 enterprise edition. the ftp server has tcp port 4040 configured.


----------



## avisitor (Jul 13, 2008)

Is the server configured to allow remote logins?


----------



## Kelveeno (May 1, 2009)

Yes, users on machines connected to the local network can connect without issue, but users connecting through the router cannot connect. I think the problem here is the server is behind a router using dynamic IP assigned from our ISP, so my server is behind a router using NAT. I have been doing some research, and have read that FTP and NAT don't work too well together.

My thinking now is if this is the issue I need to upgrade my hardware so that I can use static IP addressing which we have at this new location (I just realized we are using the PPPoE authentication from the old location). I need to figure out which modem can support multiple IPs (5 currently assigned to us from our ISP). I also need a router that can handle gigabit bandwidth and have 4 configurable interfaces (I'm thinking 1 WAN, and 3 subnets: DMZ, 1 corporate, and 1 for QA). Thanks for the help so far everyone, the ideas presented here have been very informative.


----------



## StumpedTechy (Jul 7, 2004)

FTP and NAT work just fine as long as you have all the pieces in place. The thing is you can have the problem at any spot between the client and the server. The logs from the server would definitely help as well as seeing what the server is doing when the user is trying to log in. Is your server using PASV or anything like that? How many people are connected at the time of the remote user trying to connect? Really you can use a ton more information in here in orderto figure this all out.


----------



## Kelveeno (May 1, 2009)

OK I finally figured out where the logfile is and made a connection attempt that got logged. I used a normal ftp command, I'm pretty sure i am not in passive mode. The login box was displayed, username and password info were entered in but then "error page not found" message was displayed after a short pause while the computer was thinking. There were 2 users connected to the server at the time this was made. Here is the log info:

#Software: Microsoft Internet Information Services 6.0
#Version: 1.0
#Date: 2009-05-12 19:20:54
#Fields: time c-ip cs-username cs-method cs-uri-stem sc-status sc-win32-status 
19:20:54 75.79.62.40 anonymous [382]USER anonymous 331 0
19:20:54 75.79.62.40 - [382]PASS [email protected] 530 1326
19:21:05 75.79.62.40 kelvin [383]USER kelvin 331 0
19:21:05 75.79.62.40 kelvin [383]PASS - 230 0
19:21:05 75.79.62.40 kelvin [383]CWD / 250 0
19:21:26 75.79.62.40 kelvin [384]USER kelvin 331 0
19:21:26 75.79.62.40 kelvin [384]PASS - 230 0
19:21:26 75.79.62.40 kelvin [384]CWD / 250 0
19:21:47 75.79.62.40 kelvin [385]USER kelvin 331 0
19:21:47 75.79.62.40 kelvin [385]PASS - 230 0
19:21:47 75.79.62.40 kelvin [385]CWD / 250 0


----------



## StumpedTechy (Jul 7, 2004)

Well here is what I see is going on -

http://support.microsoft.com/?id=318380 <---- a list of the IIS error codes about 2/3rds of the way down is the FTP stuff.

anonymous [382]USER anonymous 331 0 <--- I am hoping anonymous is turned off if your allowing remote logins.

19:21:26 75.79.62.40 kelvin [384]USER kelvin 331 0
19:21:26 75.79.62.40 kelvin [384]PASS - 230 0
19:21:26 75.79.62.40 kelvin [384]CWD / 250 0 <------Now all is showing Okay to the point where CWD is getting processed.

You say 2 people are connected and you have 2 ports open on your server. You should have more ports open if your going to host multiple connections...

Have you thought of changing your FTP to PASV? - http://mystyleit.com/blogs/mystyleit/archive/2007/12/11/passive-ftp-server-using-iis.aspx


----------



## Kelveeno (May 1, 2009)

The Allow Anonymous Connections box is unchecked so users have to login. I'm not too sure why anonymous connection is being made.

I expanded port range on the router to 4039-4065 and explicitly added port forwarding for ports 20 and 21 (default range for ftp service that's pre-programmed for the router). The FTP server is configured to use port 4040 as TCP port, and connections is set to 100,000.

I tried changing to pasv server, not sure i did it right. I have attached a .jpg of my screen.

I can't test anything currently because my remote system is now unale to connect to login screen. Remote system can connect to the web page on the server through a http connection so i don't know what's going on.


----------



## StumpedTechy (Jul 7, 2004)

Almost right - 

My suggestion is if you have the server set to use 4040 as the connection port then use 4040 and then make the PASV range from 4041 and up so do it to 4065 or if you want to keep the same number of clients you anticipated connecting make it 4067.

You can't have the PASV range the same as the connection port because it "bumps" the connection off to one of the other ports after connecting on the 4040.

It looks as thought you did it right -
http://mystyleit.com/blogs/mystyleit/archive/2007/12/11/passive-ftp-server-using-iis.aspx

Remember to make sure ALL router firewall ports 4040-4065 (or 4067 if you take my alternate scenario) are pointed to your server and are open on any server/software based firewall.


----------



## StumpedTechy (Jul 7, 2004)

About the anon access as long as you know its unchecked and does not work you should be okay. When I see a 331 in IIS though it makes me wonder if its not still active somehow and wanted ot make sure you double checked if you didn't want anon access.


----------



## Kelveeno (May 1, 2009)

I tried to connect againthis morning twice. first attempt brought up the login scren. username and passwrod info were entered then computer paused before displaying error page not found. On the second attempt, login box was not displayed and computer paused before displaying page not found error. Here's the logfile:

#Software: Microsoft Internet Information Services 6.0
#Version: 1.0
#Date: 2009-05-28 15:18:40
#Fields: time c-ip cs-username cs-method cs-uri-stem sc-status sc-win32-status 
15:18:40 68.183.93.14 anonymous [1]USER anonymous 331 0
15:18:40 68.183.93.14 - [1]PASS [email protected] 530 1326
15:19:05 68.183.93.14 kelvin [2]USER kelvin 331 0
15:19:05 68.183.93.14 kelvin [2]PASS - 230 0
15:19:05 68.183.93.14 kelvin [2]CWD / 250 0
15:19:26 68.183.93.14 kelvin [3]USER kelvin 331 0
15:19:26 68.183.93.14 kelvin [3]PASS - 230 0
15:19:26 68.183.93.14 kelvin [3]CWD / 250 0
15:19:47 68.183.93.14 kelvin [4]USER kelvin 331 0
15:19:47 68.183.93.14 kelvin [4]PASS - 230 0
15:19:47 68.183.93.14 kelvin [4]CWD / 250 0
15:20:36 68.183.93.14 anonymous [5]USER anonymous 331 0
15:20:36 68.183.93.14 - [5]PASS [email protected] 530 1326
15:20:36 68.183.93.14 kelvin [6]USER kelvin 331 0
15:20:36 68.183.93.14 kelvin [6]PASS - 230 0
15:20:36 68.183.93.14 kelvin [6]CWD / 250 0
15:20:57 68.183.93.14 kelvin [7]USER kelvin 331 0
15:20:57 68.183.93.14 kelvin [7]PASS - 230 0
15:20:57 68.183.93.14 kelvin [7]CWD / 250 0
15:21:18 68.183.93.14 kelvin [8]USER kelvin 331 0
15:21:18 68.183.93.14 kelvin [8]PASS - 230 0
15:21:18 68.183.93.14 kelvin [8]CWD / 250 0

One thing i notice is that these attempts were made at about 8 AM, yet the timestamp indicates they were made after 3pm today. The system clock is displaying the correct date/time,so i do not know where these timestamps are coming from.

Router: Ports 20-21, and 4040-4065 are explicitly open. Router is explicitly configured to forward these ports to the local IP of the FTP server. I notice port triggering was enabled, should i turn that off?

FTP: passive server is set using ports 4041-4065 (changed to not include port 4040).

Local users can connect to ftp successfully, remote users cannot connect.

What else should i do?

kelvin


----------



## Kelveeno (May 1, 2009)

Marking this solved. Am able to connect to ftp server from remote location using tcp port 21. Solution:

Replaced netgear router with new netopia 3347. Upgraded ISP service to use static IP addressing. Used one-to-one NAT to map external IP's to my servers. Configured passive FTP.

Further refinement: I need to figure out how to assign ports through the router so that i can use ftp://ip-address: port# command to connect to different ftp sites on the same server. pinholing and ipmaps are incompatible on this unit. Another option is to use permissions lists.

Thanks to all for advice and help, my job is safe for another day 

kelvin


----------



## StumpedTechy (Jul 7, 2004)

Interesting... every router should at least be able to forward the right ports and make the FTP work. Maybe it was a defective netgear? Oh well I am glad you got it solved. The fact you were even able to initiate it made me pretty much rule out the router in the first place. GL


----------



## Kelveeno (May 1, 2009)

I think it was the port assignment. I changed it from 4040 to 21. On this new router I cant figure out how to port forward yet so i have to use the default port.

I had passive ftp running through the old router but it didnt work. I kept passive ftp on since it made more sense to use it.


----------

