We are excited to announce that the IIS.NET Forums are moving to the new Microsoft Q&A experience. Learn more >

FTP bind to one IP address [Answered]RSS

12 replies

Last post Apr 23, 2009 10:38 PM by wraptur

  • FTP bind to one IP address

    Jan 06, 2009 12:51 PM|imprezacs|LINK

    I have a server with 5 IP addresses and have FTP binding to one of them. This all works fine except when a user connects using passive FTP. The server sends a passive connection from the server's default IP address rather than the FTP address, so it doesn't get through the client firewall.

    How can I change the default address used for passive connections?



  • Re: FTP bind to one IP address

    Jan 06, 2009 01:09 PM|JaroDunajsky|LINK

    Are you saying that the IP address returned in response to PASV command is different from the IP address of control connection? What is the IIS version you are using?

    Jaroslav Dunajsky (MSFT, IIS)
  • Re: FTP bind to one IP address

    Jan 07, 2009 03:35 AM|imprezacs|LINK

    We are using IIS 6 on Windows 2003 Server. This is a transcript of an FTP session which shows the session connects to the 213 address OK, but as soon as I switch to passive mode, the 94 address opens the session. This doesn't get back to a client behind a firewall.

    C:\>ftp 213.***.***.220
    Connected to 213.***.***.220.
    220-Microsoft FTP Service
    User (213.***.***.220:(none)): XXX
    331 Password required for XXX.
    230 User XXX logged in.
    ftp> literal pasv
    227 Entering Passive Mode (94,**,***,78,19,169).
    ftp> quit

    Any help would be appreciated.

  • Re: FTP bind to one IP address

    Jan 08, 2009 02:07 AM|JaroDunajsky|LINK

    What is the actual Server IP address logged in FTP log file for control connection? It is not logged by default, but you could enable it in UI. Does it show up as 213.* 
    So your site is only setup with :213.X.X.X:21 binding?

    I don't have IIS6 server with multiple IP addresses handy to test but I quickly scanned the code and it is using the control channel local address to setup the listener.

    Jaroslav Dunajsky (MSFT, IIS)
  • Re: FTP bind to one IP address

    Jan 08, 2009 03:34 AM|imprezacs|LINK

    Here is a segment from the log file after enabling server ip logging:

    #Fields: time c-ip s-ip cs-method cs-uri-stem sc-status sc-win32-status
    08:28:46 213.*.*.220 [421]USER XXX 331 0
    08:28:48 213.*.*.220 [421]PASS - 230 0
    08:28:52 213.*.*.220 [421]QUIT - 226 0

    entered passive mode here...

    08:32:01 213.*.*.220 [423]sent /ftproot.txt 226 0

    As you can see it shows the 213 address. However, when I move to passive mode it actually uses the 94 address, even though the log shows that the file was sent from the 213 address.

    It is driving me crazy.

  • Re: FTP bind to one IP address

    Jan 09, 2009 01:57 AM|JaroDunajsky|LINK

    The entry reporting that file was sent references control channel. That's why the address is 213.*.*.220.

    And if you run
     netstat -a

    from command line, you should see the listening endpoint. Does that also show that FTP is listening on 94.*.*.* for the PASV connection?

    Jaroslav Dunajsky (MSFT, IIS)
  • Re: FTP bind to one IP address

    Jan 09, 2009 03:35 AM|imprezacs|LINK

    No, netstat just shows the 213 address as listening on port 21.

    I'm obviously not the only one who is baffled then!

  • Re: FTP bind to one IP address

    Jan 09, 2009 03:44 AM|JaroDunajsky|LINK

    I didn't make myself clear. I wanted to know the following
    After you send PASV command from ftp.exe (literal PASV) then server will setup 1 listening port to accept data connection for the upcoming transfer. If you take the 5th parameter from the PASV response , multiply it by 256 and add  6th parameter, then you should get the listening port value on which the FTP server should be listening for some time to accept the passive data connection. I wanted to know what local IP would be used for that listening endpoint.

    Jaroslav Dunajsky (MSFT, IIS)
  • Re: FTP bind to one IP address

    Jan 09, 2009 04:35 AM|imprezacs|LINK

    This is getting more bizarre. I see what you are asking so have done some tests.

    When I make the initial FTP connection the netstat looks like this

      TCP         217.*.103.170:39515   ESTABLISHED
      TCP    213.*.*.220:21     217.*.103.170:11604   ESTABLISHED

    Now I actually do something on the connection (in active mode) and get this

      TCP         217.*.103.170:39515   ESTABLISHED
      TCP    213.*.*.220:20     217.*.103.170:39530   TIME_WAIT
      TCP    213.*.*.220:20     217.*.103.170:39535   TIME_WAIT
      TCP    213.*.*5.220:21     217.*.103.170:11604   ESTABLISHED

    As expected port 20 is opened.

    When I then use the literal pasv command I see nothing else at all. There certainly is no listener on the port I get from the pasv command (it should have been 5033), and the list above still stands. We may be getting somewhere here, as the pasv command does not appear to be changing to passive mode at all. From the command line FTP I can still transfer files, but maybe it isn't using passive mode to do so, whereas IE is trying to but the server isn't listening.

    I tried this on another server and the listener starts up on its IP address using the port as expected. I'm very confused but feel something is not right on this server.

  • Re: FTP bind to one IP address

    Jan 09, 2009 04:52 AM|imprezacs|LINK

    I have now found the reason, but still need a solution!!

    The server has Windows Firewall enabled, but with the FTP Server allowed access using the Advanced Firewall Settings and allowing FTP server through. When I turn off the firewall, the FTP server behaves normally. I have tried changing the IP address of the listening server as defined in the firewall settings, and it makes no difference. It seems that the only way for it to work correctly is without the Windows Firewall enabled, which seems absurd.

    Has anyone any idea how to make the firewall behave correctly?

  • Re: FTP bind to one IP address

    Jan 09, 2009 12:51 PM|JaroDunajsky|LINK

    Regarding the netstat command. You have to use "-a" switch to see the listeners. 

    StatefulFtp with WIndows Firewall would allow you to automatically open ports needed for the passive connections. So they would do packet inspection. But I don't think that Windows Firewall is doing rewriting of the IP addresses from private to public.

    First of all lets see what "netstat -a" command reports after the "literal PASV" sent from client. That should move us one step forward

    Jaroslav Dunajsky (MSFT, IIS)
  • Re: FTP bind to one IP address

    Jan 10, 2009 06:02 AM|imprezacs|LINK

    I did  netstat -an (so it didn't resolve addresses) and there was no listener on the specified port, until I turned off the firewall. That is the problem as I now see it. With the firewall on the listener fails to start.

  • FTP passive mode doesn't work externally because passing internal IP

    Apr 23, 2009 10:38 PM|wraptur|LINK

     I just posted in another area of this forum (http://forums.iis.net/p/1157128/1901692.aspx#1901692)

    but I think this is the right place to post judging by I have a similar problem.

    I have verified it is using the right ports and that the firewall is allowing those ports, internally passive mode works but externally login works but as soon as I do a dir/ls and it tries to go to passive mode the conneciton dies. It looks like iis 6 is sending the internal ip which would of course not route externally.  I have tried adding the external IP to the nic as a secondary ip and setting iis 6 settings for the ftp site to the external ip hoping it would pass that in the return command but no dice.  Is there not a place to enter this reply to IP, or masquerade ip, like iis 7 firewall external ip support?



    IIS 6.0 ftp passive pasv