FTP – 500 I won't open a connection to xx.xx.xx.xx

Cade Roux asked:

I’m running a server on AWS and I’m connecting out to a partner’s FTP site (not much idea what they are running). My server has an elastic IP. In the results below xx.xx.xx.xx is the internal IP (same as I get from IPConfig). yy.yy.yy.yy is the external IP (same as I am RDPed into).

Connected to ftp.site.com.
220---------- Welcome to Pure-FTPd [privsep] ----------
220-You are user number 1 of 50 allowed.
220-Local time is now 22:47. Server port: 21.
220-IPv6 connections are also welcome on this server.
220 You will be disconnected after 15 minutes of inactivity.
User (ftp.site.com:(none)): someuser
331 User someuser OK. Password required
230 OK. Current restricted directory is /
ftp> literal pasv
227 Entering Passive Mode (69,28,68,87,255,170)
ftp> ls
500 I won't open a connection to xx.xx.xx.xx (only to yy.yy.yy.yy)

I tried PASV mode, but it’s not working.

I have nothing open on my security group except the RDP.

Windows Firewall is running on the server as well with what looks like Amazon’s default configuration.

Once I get this connection working I will probably be FTPing data from an SSIS package to their server, FWIW.

I know FTP is quirky through NAT like this with the connections being opened coming back. What do I need to do?

My answer:

The command line FTP client built into Windows doesn’t support passive mode at all. Those hacks you found on the Internet about literal pasv or quote pasv don’t actually do anything as far as the FTP client is concerned; they tell the server to enter passive mode, but the client remains blissfully unaware. You’ll need to obtain a third party FTP client.

View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.