Passive Connections May Fail Through a NAT-Based Firewall to IIS 6.0 and older FTP Server

Passive-mode FTP is sometimes referred to as “server-managed”, because after the client issues a PASV command, the server responds to that PASV instruction with one of its ephemeral ports that will be used as the server-side port of the data connection. With that information, the client then makes a new connection to that port on the server and starts the data transfer.

Example: Frames seen in a network trace

Note: Client and server are on the same subnet in this example.

Client’s request for passive mode:

Source        Dstn           Protocol            Desc       FTP                 Request: PASV

Server’s response to PASV Request:

Source        Dstn           Protocol            Desc       FTP                 Response: 227 Entering Passive Mode (10,0,0,1,8,7).

FTP Header:
    File Transfer Protocol (FTP)
    227, Entering Passive Mode <h1,h2,h3,h4,p1,p2>
    227 Entering Passive Mode (10,0,0,1,8,7).rn
    Response code: Entering Passive Mode (227)
    Response arg: Entering Passive Mode (10,0,0,1,8,7).
    Passive IP address: (
    Passive port: 2055

Client opens a new connection with the server on the port 2055 as requested by the server:

Source         Dstn         Protocol            Desc     TCP                 1122 > 2055 [SYN] Seq=0 Win=8192 Len=0 MSS=1460

TCP Header:
    Transmission Control Protocol, Src Port: 1122, Dst Port: 2055, Seq: 0, Len: 0

However, you are likely to encounter problems when you use FTP over the Internet to an FTP Server that is behind a Network Boundary Securing Device (NBSD) such as a proxy, firewall, or Network Address Translation (NAT) device. In most cases, the NBSD allows the control connection to be established over TCP 21 (that is, the user can successfully log on to the FTP server). However, when the user attempts a data transfer such as DIR, LS, GET, or PUT, the FTP client appears to stop responding because, the servers PASV packet (Passive IP address field) contain the internal IP address of the FTP server. The client’s existing connection is with the NATed IP address of the FTP server, which it is not aware of.

The client will not attempt to open a data connection if the IP address specified in the “Passive IP address” field is not same as the IP address to which the client is connected for the control connection. It simply starts the process all over again and connects to the NATed IP address of the server on port 21 and so on.

When the client receives a PASV response command from the server, it tries to open a new connection for the data channel, and the firewall should create a dynamic temporary rule to allow that new connection on the port that was specified in the PASV response command.

In other words, the firewall probes the application layer of the control channel data and reads the requests and responses to determine what TCP ports the server is using for data connections.

As seen in the example above, when a client requests a passive FTP connection by sending the PASV Request command, the FTP server responds positively with a string like “227 Entering Passive Mode h1,h2,h3,h4,p1,p2”, instructing the client to initiate a TCP connection to IP address h1,h2,h3,h4 on port p1,p2. The firewall monitors this string and creates a dynamic rule allowing an inbound TCP connection from the client to the server on the specified port. Once the data transfer is over, the firewall will erase the temporary rule that it created for the data channel.

Make sure your Firewall is capable of the following:

  • It should be an application aware firewall, which can inspect the content of the packet and allow/block a request based on the content.
  • It should be a stateful firewall, which can watch the traffic and keep track of open sessions in the state table and intelligently associate new connections with these states when required.
  • It should modify the PASV response packet from the server with the NATed IP address of the FTP server before passing the packet to the client.

IIS 7.0 for Windows Server 2008 has a new feature that allows you configure it with information about the firewall the server is behind. Check out to learn about IIS 7.0.

For information on configuring the FTP passive port range in IIS 5.0 or 6.0, please see KB 555022. It is also discussed on the following Windows Server 2003 TechCenter page: Configuring FTP Site Properties (IIS 6.0).

– Arun Kumar (P)