The problem of FTP passive mode access

Publication Date:  2012-10-17 Views:  616 Downloads:  0
Issue Description
Topology:
Public PC-----USG------FTP server
The problem symptom:
1、 USG configures complete mapping, public PC uses CMD to access FTP server, it can dwonload data, public PC uses IE to connect FTP server, it can input user name and password,but cannot see the content.
2、 USG configures complete mapping, FTP server port changes to 2121 and undo detect ftp in the area, public PC uses CMD to access FTP server, it can dwonload data, public PC uses IE to connect FTP server, it can input user name and password,but cannot see the content.
Alarm Information
None.
Handling Process
1、 Undo detect ftp in the area
2、 (1)change the IE setting, make passive mode change to active mode.(2)change nat mapping, nat server pro tcp gl x.x.x.x 21 ins y.y.y.y 2121
Root Cause
The pasv and port mode of FTP :the difference between FTP and other client server application is FTP uses two connection to connect host. One is used to transfer data , the other is used to control information(command and response) transfer, it will advance the efficiency of FTP, if we part the command and data transfer.in the whole alternating FTP session, the control connection is connection state all long, the data connection will be opened when it transfers file every time then close it, if it transfers multi-file, the data connection will be opened and closed many times(the port which is opened by data connection is different).
The following is the simple flow of using port and pasv connection mode:
Port mode:
1> Client opens a short-lived port to progress challenge handshake with 21 port of Server and establish control connection;
2> Client uses the access command,Server authenticates user name and password of client, Client entering successfully;
3> Client uses file management command and  data formatting command to define the file type of data transfer、transfer mode and content information;
4> Client launches port connection command to Server, and sends one of the short-lived port of client to Server;
5> 20 port of Server progress challenge handshake with short-lived port of Client, and establish data connection;
6> Transfer data;
7> End handshake;
8> Use QUIT command to request to close control connection or open the other data connection to transfer ohe other file.
Pasv mode:
1> Client opens a short-lived port to progress challenge handshake with 21 port of Server and establish control connection;
2> Client uses the access command,Server authenticates user name and password of client, Client entering successfully;
3> Client uses file management command and  data formatting command to define the file type of data transfer、transfer mode and content information;
4> Client launches pasv connection command to Server,  request Server to choose a port number and tell the port number to client in the response of pasv connection command;
5> Client uses short-lived port number to progress challenge handshake with port number which is choosed by Server, establish data connection
6> Transfer data;
7> End handshake;
8> Use QUIT command to request to close control connection or open the other data connection to transfer ohe other file.
The contrast:
Port mode(active connection mode)--->client chooses port and waits server data connection
Pasv mode(passive connection mode)--->server chooses port and waits client data connection
“active” and “passive” relate to server.
Port mode:
C(3146 port)----?S(21 port) control channel
C(3257 port)<----S(20 port) data channel
Pasv mode:
C(3256 port)----?S(21 port) control channel
C(3257 port)----?S(2381 port) data channel
1、 the use of detect: to get the state of TCP session and inspect if it is legal, create servermap list, open data port 3147, the packet needn’t check acl ,it can progress communication by tunnel which is established by Aspf. The use of detect: the destination port of data channel which negotiate with control channel is 2381, detect opens this port. Create servermap list, the packet needn’t check acl, it can progress communication by tunnel which is established by Aspf. We can know it need undo detect ftp to solve this problem from the above concept, IE uses passive mode.
2、 IE uses passive mode, detect ftp cannot inspect 2121 port, so we use IE to connect ftp server , we cannot see the content.
Suggestions
None.

END