problems when connected to server via a NAT router

Home Forums General Firewall Help problems when connected to server via a NAT router

  • This topic is empty.
Viewing 6 posts - 1 through 6 (of 6 total)
  • Author
    Posts
  • #28011
    Anonymous
    Participant

    The latest release of Cerberus is being used and the problem we are seeing is as follows :-

    You can log in to the FTP server without any problems but get the following after issuing a DIR command.

    ftp> dir

    ftp: setsockopt (ignored): Permission denied

    —> PASV

    227 Listening on (xxx,xxx,xxx,xxx,yyy,yyy)

    ftp: connect: No route to host

    where for Cerberus xxx,xxx,xxx,xxx is the LAN IP address of the machine it is being run on and yyy,yyy is the port number.

    When the connection is routed to another machine on the LAN running IIS a similar message is returned

    ftp> dir

    ftp: setsockopt (ignored): Permission denied

    —> PASV

    227 Entering Passive Mode (xxx,xxx,xxx,xxx,yyy,yyy)

    —> LIST

    and it all works.

    In IIS though xxx,xxx,xxx,xxx is the routers WAN IP address rather than the IP address of the machine IIS is being run on.

    From memory IIS isn’t configured with the WAN IP address information so it must pick it up from the traffic routed to it and so it would seam that Cerberus doesn’t do this.

    Cerberus works fine from within the LAN because in this case the machines IP address on the LAN is exactly what is required but when the traffic comes via a NAT router it doesn’t use the WAN address when telling the remote machine what PASV port it is prepared to listen on.

    Is there a configuration option to get round this problem.

    #31173
    imported_Serin
    Participant

    Yes, there is a configuration option to allow the WAN address to be used for the PASV command.

  • * Open the “Server Manager” and select the “Interface Options” tab.

    * Select the interface you are interested in, then check the “Use different IP for PASV.”

    * Enter you WAN IP address in the IP box that appears.


  • The above steps should fix your problem.

    Sincerely,

#31174
Anonymous
Participant

serin wrote:

Yes, there is a configuration option to allow the WAN address to be used for the PASV command.

  • * Open the “Server Manager” and select the “Interface Options” tab.

    * Select the interface you are interested in, then check the “Use different IP for PASV.”

    * Enter you WAN IP address in the IP box that appears.


  • The above steps should fix your problem.

    Grant – when I use this option, Cerberus fails trying to open the passive port. It sure looks like you are trying to bind the port to the WAN address instead of just sending the WAN address in the PASV reply. You should always be binding the passive port to the interface address.

    #31175
    Anonymous
    Participant

    Just to be more clear:

    Cerberus is running behind a NAT router. Assume the router’s external address is x.x.x.x and the IP address of the computer running the Cerberus server is y.y.y.y. I have set up port forwarding so that incoming requests to x.x.x.x in the PASV port range (as well as port 21) are forwarded to y.y.y.y.

    So my Cerberus interface is y.y.y.y.

    When I enable the “Use different IP for PASV” option, and put in the WAN address x.x.x.x, Ceberus fails opening the passsive port whenever it gets a PASV command.

    It sure looks like Cerberus is trying to bind the passive port to x.x.x.x, but it can’t because that address is on the router. It should be binding to y.y.y.y but sending the address x.x.x.x back to the client in the reply to the PASV command.

    #31176
    Anonymous
    Participant

    I get the same thing…

    #31177
    imported_Serin
    Participant

    afternoonnap,

    After further investigation, there does appear to be a bug in the “Use different IP for PASV” command. I am working on a fix…

    Thanks,

    Viewing 6 posts - 1 through 6 (of 6 total)
    • You must be logged in to reply to this topic.
    Close Cart

    Shopping Cart