Question : Firewall & Routing - FTP Connection failing

I recently installed a WatchGuard x550e firewall on our network and tied it to the public interface linked to NIC 2 described below.  Prior to this, NIC 2 was the public interface and not firewalled (I know!)

The problem is, since installing the firewall, our FTP connections from the outside are failing using the old settings.  I hope I can explain this adequately.

Clients log into our site from the web and our host application fires up.  They log in and navigate to a page which provides them with a link to their own FTP folder.  Our host application manages this link and it used to point to the Private IP on NIC 1.  That changed after installing the firewall and the only way we can get the FTP site to work now is by pointing the application to the public interface on NIC 2.  (If I understand routing at all, this means that traffic directed to any 199.x.x.x address will go out thru the default gateway (NIC 2) and in this case come right back in through the same interface, right?)

Regardless, while the FTP links are working now, one issue with this is client login credentials can now be compromised as we are using IIS without Secure FTP.  Previously this wasn't an issue as the FTP site login authenticated internally. (Right?)  And, I'd just like to know why the previous and, presumably more secure, settings won't work?  Everything else seems to be working just fine.

I'm confused as to why the install of the new firewall changed the FTP access.  Direct FTP access from any outside connection (i.e. ftp://our_ftp_site ) works fine so my policy to permit FTP thru this firewall is apparently ok.  Outgoing TCP/UDP is not being blocked at all from any internal interface (Trusted/Optional).  FTP is not and never was permitted thru the Firewall/Gateway for NIC 1

Routing for Web Server
      NIC 1: 192.168.81.22 == Firewall == Public IP 199.126.14.127
      NIC 2: 10.168.81.250 == Firewall (New) == Public IP 199.126.14.173
Default Gateway:     10.168.81.249
=============================================================
Persistent Routes:
Network Address          Netmask  Gateway Address  Metric
192.168.0.0       255.255.0.0       192.168.81.1       2
10.144.0.0       255.255.0.0      192.168.81.1       2
10.128.0.0       255.255.0.0       192.168.81.1       1
208.38.50.13      255.255.255.255       192.168.81.1       1
209.89.161.230      255.255.255.255       192.168.81.1       1

I'd appreciate any helpful input.

Answer : Firewall & Routing - FTP Connection failing

Active/passive ftp is different in a active context the data sender initiates the file transmission (connect call), the receiver of a file listens, wheras with a passive connection the ftp-client allways initiates a connection for either upload or download.
Passive is ideal for going from a secured perimeter to the outside world....  anonymously, not requiring a password.

If you need file transfer from the server to the client why not through HTTP/HTTPS directly, and have the software on your server offer a local filecopy either through ftp (internal), mounted disk or whatever means is possible.
Most HTTP servers can be configured to show a directory and ha a download from there like the FTP client in IE simulates. Much easier, no hassels less security risk if use combined with SSL (HTTPS).
There are a boatload of tools available (Curl from http://curl.haxx.se (also in linkable code); there is wget used a lot from scripting).
Besides limitation, you should consider loggingin without encryption equal to announcing the passwords of your clients accounts to the world.
All info is clear to be read at any point on the connection between your server and the clients system.

BTW, the website doesn't quite work in firefox, or a nailed down IE (no foreign ActiveX) on a nailed down system (No installs).