[FW1] MS FTP behind NAT

[Glenn Mabbutt <gmabbutt@quartetservice.com>]

    [ Part 1, Text/PLAIN (charset: ISO-8859-1 "Latin 1")  32 lines. ]
    [ Unable to print this part. ]

    [ The following text is in the "iso-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]


I'm having a rather irritating problem:  someone behind one of our FW-1
firewalls has to use Microsoft's command-line FTP (from win98, win2k, and
winnt) as part of a batch script (I know it's junk, but the scripter
won't use anything else).  I tried it behind a different FW-1, and it
worked.  Here is the common configuration between the 2 firewalls:

- FW-1 4.1 on NT sp 6a
- hosts are being NATted, the test PC's are statically mapped to valid
IP's (doing it without the static NAT gives a host of errors)

- ftp is enabled in the rulebase for outbound connections

Here's what's different between the 2 firewalls (firewall A functions
properly, firewall B does not):

- firewall A is running FW-1 service pack 2, firewall B is running FW-1
service pack 3

- SYNDefender is set to "none" on firewall A and is set to "passive
gateway" on firewall B

- under "logs and alerts" in Policy > Properties, "log established TCP
connections" is checked on firewall A and is unchecked on firewall B.

Those are the only differences I can find.  What happens when I try to
connect to an ftp server behind firewall B is that I can log in, but when
I try to do a directory listing or cd to a directory I get an error
saying "invalid port command" - no such error from behind firewall A.

Any suggestions??

thanks,
Glenn