NAT/Firewall(?) issue with W2K3.

[magnux]

I have a Windows 2003 server acting as a NAT for a few clients. Everything seems to be working aside from one thing. Users cannot FTP from client PC's. They will connect to the FTP server, but upon trying to enter a username the connection is closed:

Connected to ftp.microsoft.com.
220 Microsoft FTP Service
User (ftp.microsoft.comnone)): ftp
Connection closed by remote host.

This happens to all remote FTP sites. However, I can ftp just fine from the server itself. Here are a few key points:

[*]I am using RAS/NAT
[*]I am not using the basic firewall
[*]I have no inbound/outbound filters
[*]I have confirmed that http and ssh are working fine.

Is there something I'm missing?

 

[bsobel]

Have you tried passive mode from the clients?

 

[magnux]

Originally posted by: bsobel
Have you tried passive mode from the clients?

I can't actually login to a FTP server, hence, AFAIK passive mode would have no effect. However, just to rule out everything, yes I have tested with both active and passive mode(s).

Same effect.

 

[bsobel]

Originally posted by: magnux

Originally posted by: bsobel
Have you tried passive mode from the clients?

I can't actually login to a FTP server, hence, AFAIK passive mode would have no effect. However, just to rule out everything, yes I have tested with both active and passive mode(s).

Same effect.

Ooops, missed you couldt even get to the pw. Thought maybe a port command was issued, failed, and you got disconnected. Hmm, nothing else is coming to mind right now, but let me go look and see if I can think of anything else you havent tried.

 

[magnux]

Since I can FTP without fail from the server itself, my thoughts are that the problem should lie somewhere in the LAN interface. Since, apparently, the WAN routing is working. (but, I have been known to be wrong once or twice in my lifetime..)

It's acting like a textbook firewall issue, yet I don't have any firewalls enabled. Strange.

 

[redbeard1]

If they can afford a server, why can't they afford a small router/firewall?

Having a Windows box hooked direct to the internet is just begging for it to get compromised.

 

[magnux]

Ugh. Still having the same problem. I'm reaching my wit's end. This is a fresh Windows 2003 Server install, too.

 

[magnux]

As a test, I setup a FTP server on my private network and I'm able to connect/login to it from both inside and outside my network.

Aaaagh!

 

[magnux]

PROBLEM SOLVED!

For anyone else who may run into this problem, apparently there's an issue between Routing and Remote Access and the Application Layer Gateway service. Disabling the ALG service remedied the problem.

 

[RebateMonger]

I don't deal with straight Windows Server 2003 much (mostly using SBS 2003). But ALL of my Servers use two NICs, deliver NAT for all my client PCs, and have either the Windows Firewall or ISA turned on. The only FTP problem I've seen is that ISA requires that you specifically enable FTP services to the clients.

The Application Layer Gateway Service is set as "Manual" startup on my SBS Servers (the Microsoft default setup).

 

[magnux]

Yea, apparently, the default for 2003 Standard is for ALG to be set to Automatic. Remind me to write a thank-you letter to Mr. Gates when I get the time..