FTP Nat - Can't build data connection: Connection timed out

[ChrisA]

We're running CheckPoint NGX HFA02. We have a server that external folks connect to over non-standard FTP port 10021. All works fine. All sessions come through a VPN connection (SecureClient or site-to-site VPN).

One site cannot do 10021, for whatever reason, and asked that we perform nat so that they can do straight FTP and we xlate the service from FTP to 10021 at the firewall. It works, and the site can log in to the server, but any command (dir, ls, ..) gives "425 Can't build data connection: Connection timed out". The site tried passive mode but that didn't work either.

Any ideas?

[dguinn]

When you created your protocol object for this port, did you go under advanced and change the protocol type to FTP? Be sure to do this, as FTP requires special INSPECT rules.

DG

[ChrisA]

Yes, the protocol was set to FTP in the advanced settings of the 10021 service object. It's working fine for folks who connect over this port, but it isn't working when folks connect with FTP and then the firewall NATs FTP to 10021.

[dguinn]

Ok, again, silly question here, any chance that you need a outbound NAT rule for his particular IP/Range, and be sure it's placed BEFORE the 10021 port rule, so that you can be sure that the outbound packet is excluded from the blanket ANY translation?

e.g.:

source,dest,port...source,dest,port
problem_ip,EXT_ftpsvr,ftp...orig,INT_ftpsvr,10021
INT_ftpsvr,problem_ip,10021 EXT_ftpsvr,orig,ftp
orig, EXT_ftpsvr,10021...orig,INT_ftpsvr,orig
INT_ftpsvr,orig, 10021...EXT_ftpsvr,ANY,orig

I know, this should be stateful, but it might warrant a look since it's a complex TCP type protocol.

[manfred.huels]

Could be, this is a "extended passive" problem. Some Clients first try to make an EPSV for dataconnections. Checkpoint does not support this, so the packet will be dropped. (By the way, does anybody know a solution for this?) If the client first toggels EPSV, all should goes well.

[Mathieu]

Yes, I think it is ! At least I have the problem with the EPSV command which is not recognised, so fw1 is unable to know on which port the data connection will occur (on NGX R60 HFA03).
Anybody knows if it is recognised in more recent version ?

[Mathieu]

So, according to a Check Point engineer, the solution would be to disable the EPSV command for the FTP protocol in CP. Not tried yet, but it makes senses :)