This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Unable to connect to FTP server on local LAN from any device behind a RED.

Hello all,

Am I missing something simple, as no matter which of the 5 REDs we have, any client behind them can't connect to the FTP server (port 21) on the main subnet.

I've tried several FTP programs (currently favouring WINscp) and they all "time out".  I've checked the Firewall logs and nothing is being blocked or dropped.

I can FTP from any client on the main/local/same subnet 10.20.X.X ==> 10.20.X.Y (ftp server), but trying from say 10.10.X.X ==> 10.20.X.Y just times out.

SSH (port 22) works, but FTP is no bueno.



This thread was automatically locked due to age.
  • did u double checked that the old fashioned ftp server is generally & eg. locally (same subnet)  functional ?

    is he pingable ?

    is the workin ssh service on the same machine as the not workin ftp service ?

    u may need to add this subnet in reds network as welll....just guess

  • Where do we add the subnets in the RED config?

    Here are the wireshark capture snippits from a same subnet and a failed subnet:

    same (works)

    Behind RED (failed)

    Are there other logs that I should be checking?

  • This feels like a problem with the firewall on the server, Dave.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Bob, pleasure as always to see you on here! I was thinking the same, however, in testing with other FTP Server connections, typically I the software returns a connection REFUSED/REJECTED and not a time out.

    Again, pardon my newbness, but, is there a way to either proxy, masquerade or segment out a range of the 10.7X.X.X network to appear to come from the 10.2X.X.X network?

    I'm also going to run a test by VPNing in, and seeing if that too causes the same issue.

  • Have you tried an SNAT, Dave?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Yes:
    Only question I have is, for, "Change the source to:" I used one of our local DNS servers. Should it be something else?

  • New source should be "Internal (Address)" or an Additional Address on that interface.  The response has to come back to the UTM so that the connection tracker can forward it back to the correct IP behind the RED.

    If this works, it's solid proof that the problem is the firewall on the FTP server.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Bob, you're the best!  I swapped the "Change the source to" LocalLan(Address) and in like Flynn!