Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Autumn 2024 badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiBridge
- FortiAuthenticator
- FortiCache
- FortiCarrier
- FortiConnect
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDB
- FortiDDoS
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecorder
- FortiRecon
- FortiSandbox
- FortiScan
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiWAN
- FortiVoice
- FortiWeb
- FortiWebCloud
- Lacework
- RMA Information and Announcements
- Wireless Controller
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- RE: Problems with FTP server behind two routers
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Problems with FTP server behind two routers
Hi.
I have two routers in my network before reaching to my private network. The first one has a public IP address at its wan1, and acts as a gateway for its internal interface. The second router (a Fortigate 50B) has a static IP at its wan1 interface and a static route to from 0.0.0.0 to its gateway (172.64.1.11). At this second router internal interface, I finally have my FTP server (configured for passive mode) with a 192.168.0.105 IP address. Bellow is a scheme that I' ve drawn to ilustrate this architecture:
----------------------------------------- ---------------------------------------- ------------------------------------------------
INTERNET -> | 189.165.215.80 RT1 172.64.1.11 | -> | 172.64.7.12 FG-50B 192.168.0.1 | -> | 192.168.0.105 FTP SERVER - WINDOWS 2008 R2 |
----------------------------------------- ---------------------------------------- ------------------------------------------------
Naturally I' ve routed all the necessary ports in both routers so the connection requests from the internet can reach my FTP server. Anyway, the problem that I' m having is that whenever I try to connect my FTP server from the internet, Filezilla keeps trying to connect to the passive mode with the ip 172.64.7.12, that is the wan 1 ip address of the closest router to my FTP server, the Fortigate 50 B. I' ve also tryied on configuring the " External IP Address of Firewall" ip address at my FTP server, but the address is always changed to 172.64.7.12. Bellow follows my connection log.
Estado: A resolver o endereço de ftp.mycompany.com
Estado: Conectando 189.165.215.80:21...
Estado: Conexão estabelecida, esperando mensagem de boas-vindas...
Resposta: 220-Microsoft FTP Service
Comando: USER USER
Resposta: 331 Password required for USER.
Comando: PASS ********
Resposta: 230-Welcome!
Resposta: 230 User logged in.
Comando: SYST
Resposta: 215 Windows_NT
Comando: FEAT
Resposta: 211-Extended features supported:
Resposta: LANG EN*
Resposta: UTF8
Resposta: AUTH TLS;TLS-C;SSL;TLS-P;
Resposta: PBSZ
Resposta: PROT C;P;
Resposta: CCC
Resposta: HOST
Resposta: SIZE
Resposta: MDTM
Resposta: REST STREAM
Resposta: 211 END
Comando: OPTS UTF8 ON
Resposta: 200 OPTS UTF8 command successful - UTF8 encoding now ON.
Estado: Conectado
Estado: Obtendo lista de pastas...
Comando: PWD
Resposta: 257 " /" is current directory.
Comando: TYPE I
Resposta: 200 Type set to I.
Comando: PASV
Resposta: 227 Entering Passive Mode (172,64,7,12,128,106).
Comando: LIST
Resposta: 150 Opening BINARY mode data connection.
TIMEOUT
What should I do in order to have my FTP server working?
Regards,
Vinicius Pessôa.
http://www.deepsoft.com.br
DeepSoft is a company specialized in scientific software development and consulting. Our main goal is to provide solutions which relate to problems of scientific complexity, combining science and industry.
http://www.deepsoft.com.br DeepSoft is a company specialized in
scientific software development and consulting. Our main goal is to
provide solutions which relate to problems of scientific complexity,
combining science and industry.
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
8 REPLIES 8
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
RT1 does not look like it does NAT filtering for FTP.
You did not explain if you set up NAT on RT1?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi edsouza.
First of all, thank you very much for helping us.
I probably don' t have NAT filtering for FTP at RT1 and certainly nothing like that configured in FG-50B. I honestly didn' t know that such feature was required.
Both RT1 and FG-50B has NAT enabled.
Enabling this NAT filtering for FTP in RT1 would solve my problem?
Is there a FG-50B level solution? I' ld like to avoid modifying configurations in RT1 if possible.
Regards,
Vinicius Pessôa
http://www.deepsoft.com.br
DeepSoft is a company specialized in scientific software development and consulting. Our main goal is to provide solutions which relate to problems of scientific complexity, combining science and industry.
http://www.deepsoft.com.br DeepSoft is a company specialized in
scientific software development and consulting. Our main goal is to
provide solutions which relate to problems of scientific complexity,
combining science and industry.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As a thought, try turning off NAT on both units. Let the native addresses through.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you rwpatterson, I' ll give it a shot. I need do disable nat on my internet->lan policy of both devices then, right? Anything has to be done in my lan->internet firewall policy?
Regards,
Vinicius Pessôa
http://www.deepsoft.com.br
DeepSoft is a company specialized in scientific software development and consulting. Our main goal is to provide solutions which relate to problems of scientific complexity, combining science and industry.
http://www.deepsoft.com.br DeepSoft is a company specialized in
scientific software development and consulting. Our main goal is to
provide solutions which relate to problems of scientific complexity,
combining science and industry.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not sure about your first device, but yes, in the FGT, just the inward policy is all you need to touch. The return traffic passes back through the same policy.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi everyone. I' ve tryied disabling nat in the incoming policy of both routers. Still doesn' t work. Actually, now even the FTP connection (21) stopped working.
Any ideas?
Regards,
Vinicius Pessôa.
http://www.deepsoft.com.br
DeepSoft is a company specialized in scientific software development and consulting. Our main goal is to provide solutions which relate to problems of scientific complexity, combining science and industry.
http://www.deepsoft.com.br DeepSoft is a company specialized in
scientific software development and consulting. Our main goal is to
provide solutions which relate to problems of scientific complexity,
combining science and industry.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don' t think this is going to work. With passive mode FTP the server opens a connection to the outside client. Your server only knows about his private IP address, and the client probably sees that and tries to reply to it, with no way of knowing where to route the traffic.
What you could try is source NAT the server' s IP in the FG' s policy to 172.64.7.13 (unused IP), and NAT that in RT1 to your public IP. Make sure the return path gets NATed as well. This is just a crude sketch and might not be worth the trouble.
Active FTP should work as is, though.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Ede. Thank you for helping me.
Actually, the Windows FTP Server has a configuration field called " External IP Address of Firewall" . So, I' m setting my public IP in this field. This feature works when I' m connecting my server from my lan (it retrieves me the set IP for the passive connection). But when I' m on the other side of the routers, I always get the IP 172.64.7.12.
Regards,
Vinicius Pessôa.
http://www.deepsoft.com.br
DeepSoft is a company specialized in scientific software development and consulting. Our main goal is to provide solutions which relate to problems of scientific complexity, combining science and industry.
http://www.deepsoft.com.br DeepSoft is a company specialized in
scientific software development and consulting. Our main goal is to
provide solutions which relate to problems of scientific complexity,
combining science and industry.
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- I Have Issue on Netflow FortiGate 93 Views
- Problems with setting MTU 110 Views
- Forticlient VPN restore problem 126 Views
- Issues with FortiClient 7.0.0 on Windows... 117 Views
- Problem with SFP on ULL ports... 98 Views
Labels
-
FortiGate
8,080 -
FortiClient
1,622 -
5.2
801 -
FortiManager
682 -
5.4
639 -
FortiAnalyzer
518 -
FortiAP
427 -
FortiSwitch
426 -
6.0
416 -
FortiClient EMS
365 -
5.6
362 -
FortiMail
301 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
189 -
SSL-VPN
178 -
FortiNAC
163 -
IPsec
154 -
6.4
128 -
FortiGuard
125 -
FortiGateCloud
98 -
FortiSIEM
94 -
FortiCloud Products
94 -
SD-WAN
89 -
FortiToken
86 -
Customer Service
74 -
Wireless Controller
74 -
FortiAuthenticator
70 -
4.0MR3
64 -
Firewall policy
58 -
FortiProxy
53 -
FortiEDR
50 -
Fortivoice
49 -
FortiADC
49 -
FortiExtender
43 -
VLAN
42 -
FortiDNS
41 -
High Availability
41 -
FortiSandbox
39 -
ZTNA
37 -
FortiGate v5.4
35 -
Routing
35 -
LDAP
34 -
FortiSwitch v6.4
33 -
DNS
33 -
BGP
32 -
SAML
31 -
Certificate
30 -
Interface
29 -
SSO
27 -
NAT
27 -
FortiConnect
26 -
FortiConverter
25 -
Authentication
25 -
FortiWAN
24 -
RADIUS
24 -
FortiLink
24 -
FortiGate v5.2
23 -
VDOM
23 -
Application control
21 -
Web profile
21 -
Virtual IP
20 -
FortiSwitch v6.2
18 -
FortiPortal
18 -
Fortigate Cloud
18 -
Logging
18 -
Traffic shaping
17 -
FortiMonitor
16 -
FortiPAM
16 -
FortiDDoS
15 -
FortiGate v5.0
14 -
SSL SSH inspection
14 -
OSPF
13 -
FortiCASB
12 -
SSID
12 -
Admin
12 -
IP address management - IPAM
12 -
FortiManager v5.0
11 -
Automation
11 -
Static route
11 -
WAN optimization
11 -
Web application firewall profile
11 -
FortiSOAR
10 -
FortiRecorder
10 -
SNMP
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiAP profile
9 -
System settings
9 -
FortiManager v4.0
8 -
FortiBridge
8 -
RMA Information and Announcements
8 -
IPS signature
8 -
Proxy policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
Security profile
7 -
Traffic shaping policy
7 -
Port policy
7 -
FortiCache
6 -
DNS filter
6 -
trunk
6 -
Packet capture
6 -
Intrusion prevention
6 -
FortiCarrier
5 -
FortiToken Cloud
5 -
FortiTester
5 -
Users
5 -
Fabric connector
5 -
Fortinet Engage Partner Program
5 -
3.6
4 -
FortiDeceptor
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Antivirus profile
4 -
Traffic shaping profile
4 -
Application signature
4 -
DLP sensor
4 -
Email filter profile
4 -
Netflow
4 -
Web rating
4 -
FortiDB
3 -
FortiHypervisor
3 -
Explicit proxy
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Replacement messages
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
API
2 -
FortiNDR
2 -
Authentication rule and scheme
2 -
Protocol option
2 -
Schedule
2 -
Service
2 -
Zone
2 -
Cloud Management Security
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Kerberos
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
TACACS
1 -
SDN connector
1 -
Multicast policy
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1517 | |
| 1013 | |
| 749 | |
| 443 | |
| 209 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.