Static NAT, Proxy, Reverse?

Hello, I have a Watchguard Firebox T30 at a doctor's office. It works great but they tell me that they have not been able to send documents to a specific ftp site since I changed to it from their old Cisco Router that was installed by another company years ago. I know how to configure static NAT on a Watchguard but this is in reverse. Let me explain. The specialized software on the internal server opens up ports 1116-1120 for sending documents out to an external ftp server at port 21. So I have tried creating a custom policy to port 21 and then a static NAT to the internal IP of 192.168.43.252 port 1116. If I just ftp to the external address on port 21 it works fine from my laptop or any other computer on the network but as you can tell they are using different ports on the server.
I have tried just 1 specific port at the moment. So if I create a policy with the ip address of x.x.x.x (this is the address of the ftp server) as an external "host" in the "From" field and a Static NAT from External to Internal ip of 192.168.43.252 port 1116 in the "To" field will this translate both ways? Is the ftp proxy that is enabled on the router by default blocking the connection? I tried this and it failed. I did not disable the default "ftp proxy". The sad thing is that the server only sends this out once a month and no one knows how to activate it on the server to run a test. So this makes it really hard.This will not happen again until the end of this month.

Comments

  • "The specialized software on the internal server opens up ports 1116-1120 for sending documents out to an external ftp server at port 21."

    This suggests that you don't need to add an incoming SNAT policy for this to work.
    All you should need is at best is an outgoing FTP filter or proxy, and perhaps TCP ports 1116-1120 to be open. If you have the default Outgoing policy in your config, then TCP ports 1116-1120 should be allowed by it.
    However, your understanding of how these FTPs work may not be fully correct - and this the solution may be different.

    For debugging, you should set up a specific outgoing FTP proxy From: & To: the desired IP addrs, and then on the General tab, select Override the diagnostic log level, and set it to Information.

    Also consider opening a support incident to see if a support rep has any other suggestions to help resolve this.


    Background: There are 2 types of FTP - active & passive.

    In the active mode, the client starts listening on a random port for incoming data connections from the server (the client sends the FTP command PORT to inform the server on which port it is listening).
    The FTP proxy should see the PORT command from the FTP client and dynamically open the port specified in the port command.

    In the passive mode, the client uses the control connection to send a PASV command to the server and then receives a server IP address and server port number from the server, which the client then uses to open a data connection to the server IP address and server port number received.

  • Well you are right in one sense. I do not know how this ftp operates. I found out that the Medical Software company does not even know. I have asked for the phone number of the company that installed the server where I could get educated on this and I have not received it yet. As for the opened ports. Yes, I have created an ftp proxy and just opened the ports before and somehow I guess it gets lost when it translates from the 1116-1120 to 21. I have asked if this was a passive ftp or an active ftp. One support person at the Software company told me that it was Active and another told me is was Passive. One other support person also told me to open ports 1100-1105. I can never get a straight answer. What makes it really hard is that I do not know the software and they cannot just start a test where I can try some things. It only starts once a month. I am just about at the point as to just open up all of the ports going to this server. Maybe that will get their attention and I can get some straight answers. As for the SNAT. I was just "grasping at straws". They are just a client and are an hour away so I cannot just "drive down there" at will and try something when I have other clients that I take care of.

  • I may be wrong, but my reading of your problem of "have not been able to send documents to a specific ftp site" means the issue is all to do with outbound ports from your doctor's office going to the FTP site.

    If that FTP server has a static WAN IP, you could setup a packet filter with Any protocol going From the LAN IP of your doctor's device with that software on it, and To the WAN IP of the FTP server. That way, it can use whatever ports it needs. You should not need SNAT at all because it's all outbound from their office to an external location.

    If you know when it's going to do it, you can watch live FSM Traffic Monitor data to see what happens. You also may be able to see it in Dimension if you have that logging.

    Gregg

    Gregg Hill

  • @GreggHill said:
    I may be wrong, but my reading of your problem of "have not been able to send documents to a specific ftp site" means the issue is all to do with outbound ports from your doctor's office going to the FTP site.

    If that FTP server has a static WAN IP, you could setup a packet filter with Any protocol going From the LAN IP of your doctor's device with that software on it, and To the WAN IP of the FTP server. That way, it can use whatever ports it needs. You should not need SNAT at all because it's all outbound from their office to an external location.

    If you know when it's going to do it, you can watch live FSM Traffic Monitor data to see what happens. You also may be able to see it in Dimension if you have that logging.

    Gregg

    They are telling me that this is a passive ftp connection and has to communicate back with the server which does not make any sense. I can ftp to port 21 and and it opens up a ftp session and I can log in. I thought that I tried what you suggested. I will try it again. If it doesn't work then I am going to create an inbound rule and an outbound rule with the hosts and ports and see what happens.

  • From my post above:

    "In the passive mode, the client uses the control connection to send a PASV command to the server and then receives a server IP address and server port number from the server, which the client then uses to open a data connection to the server IP address and server port number received."

    Which seems to match with with:
    "They are telling me that this is a passive ftp connection and has to communicate back with the server"

    The FTP proxy should see the PASV and the response and dynamically open the needed inbound port for the FTP session.

    With your test FTP client, what to the client logs show for the session ?

Sign In to comment.