help setting up a SFTP between two NAT sites

[Red Squirrel]

I'm trying to make this work but it keeps failing at the data connection. It makes it all the way to LIST then goes to:

error: Can't establish SSL connection
error: Could not retrieve directory listing
150 connection accepted
response: 226 transfer OK


I tried using active as well as passive mode. The FTP server is filezilla and is set to listen on port 990 and I also forced the data range to be only port 991. Both of those ports are forwarded on the NAT firewall. The client is also behind a NAT.

Note that this is SFTP and not FTP over SSH. Everything I google just talks about SSH.

 

[mcmilljb]

Originally posted by: RedSquirrel
I'm trying to make this work but it keeps failing at the data connection. It makes it all the way to LIST then goes to:

error: Can't establish SSL connection
error: Could not retrieve directory listing
150 connection accepted
response: 226 transfer OK


I tried using active as well as passive mode. The FTP server is filezilla and is set to listen on port 990 and I also forced the data range to be only port 991. Both of those ports are forwarded on the NAT firewall. The client is also behind a NAT.

Note that this is SFTP and not FTP over SSH. Everything I google just talks about SSH.

Because it's SSH FTP.

My first guess would be to look at any possible problems with establishing a SSL connection. Maybe there are NAT issues with it. Also there maybe be NAT issues with FTP which prevent the SSL connection from completing. I would work my way from SSL to FTP while looking for any possible negative interactions with NAT. Good luck.

Take a look at FileZilla's network configuration wiki. It might help you understand the process better.

 

[spidey07]

That's definately nat doing that (your control channel works, but not the data channel). If you google "ftp and nat" you should get some good info.

You could try doing straight NAT and forwarding at the IP layer to the server and client on the respective routers (some call this DMZ). But my guess is the server is responding with it's private IP address in the application layer and that's causing the problem. Since it's secure I don't know if you can get the router to do what it needs in replace that with it's "real" IP address.

 

[Red Squirrel]

Originally posted by: spidey07
That's definately nat doing that (your control channel works, but not the data channel). If you google "ftp and nat" you should get some good info.

You could try doing straight NAT and forwarding at the IP layer to the server and client on the respective routers (some call this DMZ). But my guess is the server is responding with it's private IP address in the application layer and that's causing the problem. Since it's secure I don't know if you can get the router to do what it needs in replace that with it's "real" IP address.

There's an option in the server (filezilla) to advertise it's external IP which I added, so it's not that. There's also an option to set a port range for passive mode, which I specified only one port, so both ports are open in the firewall.

This is all TCP right, no UDP involved?

My 2nd option is to just use SSH FTP but I don't think there's any decent ones for Windows. That's normally something in Linux.

 

[spidey07]

You're best bet is to download wireshark and get a packet capture on both ends, that will tell you exactly what is going on.

 

[Red Squirrel]

Originally posted by: spidey07
You're best bet is to download wireshark and get a packet capture on both ends, that will tell you exactly what is going on.

Tried that internally (don't have access to the external portion) and it only hits ports 990 and 991 which are both forwarded, so yeah it's weird. We even tried to forward ALL ports to that server for testing, no go, changed it back for security reasons.

Is there maybe a filezilla specific option I should be setting? I'm thinking it's more of a software issue then network issue.

 

[mcmilljb]

Originally posted by: RedSquirrel

Originally posted by: spidey07
That's definately nat doing that (your control channel works, but not the data channel). If you google "ftp and nat" you should get some good info.

You could try doing straight NAT and forwarding at the IP layer to the server and client on the respective routers (some call this DMZ). But my guess is the server is responding with it's private IP address in the application layer and that's causing the problem. Since it's secure I don't know if you can get the router to do what it needs in replace that with it's "real" IP address.

There's an option in the server (filezilla) to advertise it's external IP which I added, so it's not that. There's also an option to set a port range for passive mode, which I specified only one port, so both ports are open in the firewall.

This is all TCP right, no UDP involved?

My 2nd option is to just use SSH FTP but I don't think there's any decent ones for Windows. That's normally something in Linux.

Yes, it's all TCP. FileZilla says "Due to the nature of TCP (the underlaying transport protocol), a port cannot be reused immediately after each connection. Hence the range of ports should not be too small or transfers of multiple small files can fail. A range of 50 ports should be sufficient in most cases." - link

Their wiki discusses NAT and routing issues, I would spend some time reading through it to see which issues you're running into.

 

[ccbadd]

Originally posted by: mcmilljb

Originally posted by: RedSquirrel
I'm trying to make this work but it keeps failing at the data connection. It makes it all the way to LIST then goes to:

error: Can't establish SSL connection
error: Could not retrieve directory listing
150 connection accepted
response: 226 transfer OK


I tried using active as well as passive mode. The FTP server is filezilla and is set to listen on port 990 and I also forced the data range to be only port 991. Both of those ports are forwarded on the NAT firewall. The client is also behind a NAT.

Note that this is SFTP and not FTP over SSH. Everything I google just talks about SSH.

Because it's SSH FTP.

My first guess would be to look at any possible problems with establishing a SSL connection. Maybe there are NAT issues with it. Also there maybe be NAT issues with FTP which prevent the SSL connection from completing. I would work my way from SSL to FTP while looking for any possible negative interactions with NAT. Good luck.

Take a look at FileZilla's network configuration wiki. It might help you understand the process better.

sftp is not SSH FTP. It is a protocol similar to scp and uses only one port (the SSH port, typically 22) and works fine across NAT. I typically use OpenSSH on a linux server, but I would bet the problem is with SSL, probably a certificate. None of the ftp troubleshooting will help reguardless.

 

[ccbadd]

Also, try using tunnelier: http://www.bitvise.com/tunnelier
It is easy to use and will help you figure out the problem, then you can look for a better client. I like sftpdrive when you have a fast connection.

 

[mcmilljb]

Originally posted by: ccbadd

Originally posted by: mcmilljb

Originally posted by: RedSquirrel
I'm trying to make this work but it keeps failing at the data connection. It makes it all the way to LIST then goes to:

error: Can't establish SSL connection
error: Could not retrieve directory listing
150 connection accepted
response: 226 transfer OK


I tried using active as well as passive mode. The FTP server is filezilla and is set to listen on port 990 and I also forced the data range to be only port 991. Both of those ports are forwarded on the NAT firewall. The client is also behind a NAT.

Note that this is SFTP and not FTP over SSH. Everything I google just talks about SSH.

Because it's SSH FTP.

My first guess would be to look at any possible problems with establishing a SSL connection. Maybe there are NAT issues with it. Also there maybe be NAT issues with FTP which prevent the SSL connection from completing. I would work my way from SSL to FTP while looking for any possible negative interactions with NAT. Good luck.

Take a look at FileZilla's network configuration wiki. It might help you understand the process better.

sftp is not SSH FTP. It is a protocol similar to scp and uses only one port (the SSH port, typically 22) and works fine across NAT. I typically use OpenSSH on a linux server, but I would bet the problem is with SSL, probably a certificate. None of the ftp troubleshooting will help reguardless.

Filezilla specifically refers to SFTP as SSH FTP. It refers to FTP over SSL/TLS as FTPS. If you're going to use their software, you might want to refer to it as they do. Google agrees that SFTP is SSH FTP. IETF calls SSH FTP "SFTP". Here's a RFC about it. On page 3, it specifically calls it SFTP.

Yes it was a new protocol similar to scp, but it's real name is SSH FTP. It can run over SSL instead of SSH, but that doesn't change it's name from SSH FTP. The confusion is people think SFTP stands for Secure FTP when infact they're looking for the SSH FTP protocol. From what I can tell, Secure FTP was used back when people were just running FTP over SSH.

 

[drebo]

You guys are having a HUGE terminology meltdown.

This guy above if mostly correct. SFTP is built on SSH. What RedSquirrel is likely attempting to do is FTP over SSL. Very different.

As far as using SFTP on windows, there are a few decent servers around that will implement that. However, FTP over SSL will likely be much simpler to implement.

 

[Red Squirrel]

Correct, it's SFTP as in SSL FTP not SSH FTP that I'm using. SSH is simple as there are no complicated port redirects and stuff, it's a single port that has to be forwarded and it will work. I'm considering going that route but not sure if I can. (It's for an outside medical application that drops files so not sure if that app supports ssh ftp)

 

[Nothinman]

Correct, it's SFTP as in SSL FTP not SSH FTP that I'm using.

SFTP is FTP over SSH, FTPS is FTP over SSL. You've got it backwards.

 

[Jamsan]

I gave up on trying to setup FTPS (FTP over SSL) long ago. All of the larger financial organizations we deal with prefer SFTP anyways (SSH FTP).

 

[ccbadd]

Originally posted by: mcmilljb

Originally posted by: ccbadd

Originally posted by: mcmilljb

Originally posted by: RedSquirrel
I'm trying to make this work but it keeps failing at the data connection. It makes it all the way to LIST then goes to:

error: Can't establish SSL connection
error: Could not retrieve directory listing
150 connection accepted
response: 226 transfer OK


I tried using active as well as passive mode. The FTP server is filezilla and is set to listen on port 990 and I also forced the data range to be only port 991. Both of those ports are forwarded on the NAT firewall. The client is also behind a NAT.

Note that this is SFTP and not FTP over SSH. Everything I google just talks about SSH.

Because it's SSH FTP.

My first guess would be to look at any possible problems with establishing a SSL connection. Maybe there are NAT issues with it. Also there maybe be NAT issues with FTP which prevent the SSL connection from completing. I would work my way from SSL to FTP while looking for any possible negative interactions with NAT. Good luck.

Take a look at FileZilla's network configuration wiki. It might help you understand the process better.

sftp is not SSH FTP. It is a protocol similar to scp and uses only one port (the SSH port, typically 22) and works fine across NAT. I typically use OpenSSH on a linux server, but I would bet the problem is with SSL, probably a certificate. None of the ftp troubleshooting will help reguardless.

Filezilla specifically refers to SFTP as SSH FTP. It refers to FTP over SSL/TLS as FTPS. If you're going to use their software, you might want to refer to it as they do. Google agrees that SFTP is SSH FTP. IETF calls SSH FTP "SFTP". Here's a RFC about it. On page 3, it specifically calls it SFTP.

Yes it was a new protocol similar to scp, but it's real name is SSH FTP. It can run over SSL instead of SSH, but that doesn't change it's name from SSH FTP. The confusion is people think SFTP stands for Secure FTP when infact they're looking for the SSH FTP protocol. From what I can tell, Secure FTP was used back when people were just running FTP over SSH.

I just wanted to reinforce that the FTP channels and NAT issues have nothing to do with sftp.

 

[drebo]

It has everything to do with it if he's trying to configure FTP over SSL and then use an SFTP client to connect to it.