I am having a problem transferring data from our AS400 to a customer of ours via the internet. The AS400 is part of our LAN as is our proxy server/firewall. When I execute the ftp command from our AS400 in a batch program it says it cannot connect. We are currently running V4R1 of the OS400 operating system. Can anyone help me? Thanks.

Perhaps you could post your script, and maybe an error log? Dave

When I execute the ftp command from our AS400 in a batch program it says it cannot connect. Can you FTP interactively? If you can, then you might want to check the FTP command or syntax in your batch program. However, if neither batch FTP or interactive FTP can connect to the Internet, then firewall may be an issue. By default, AS/400 firewall blocks all the FTP traffic in packet filtering rule. If that is the case, you have three options. 1) Change or add packet filtering rules to allow FTP traffic for your AS/400 and enable IP forwarding. However, you need to be aware that you are exposing your AS/400 to the hackers by doing this. 2) FTP via SOCKS server - To do that, you must enable AS/400 as the SOCKS client and firewall SOCKS server to allow FTP function. However, I don't remember whether AS/400 at V4R1 level allow AS/400 as SOCKS client. To find out, from Operation Nav click Network, Protocols, then right click TCP/IP and select Properties. If you see SOCKS folder tag at the end, then use that to enable AS/400 as the SOCKS client. 3) FTP via NAT - Network Address Tranlation is added to AS/400 firewall since V4R3, and this may be easiest way and common way to do it. It's not only allow AS/400 to FTP, but also any PC on the LAN without installing other product on the PC. I guess the question is whether worth upgrading AS/400 to latest release due to V4R5 will be the last one for AS/400 firewall. Shawn

Also is there an AS400 equivalent of the trace route command?

Can you ping the destination IP address? bobh

Not yet (not by IBM anyway), may be in V5Rx. Shawn Fu

You should be able to run a comm trace. Goto system Service Tools, (STRSST) choose option 3 for communication trace. Enter the lined you are using to connect to your ISP. When the trace is complete, stop the trace, and print it. Specify ASCII.

Good thinking. However, I don't think the comm trace will provide routers(hop) information like trace route command on the DOS. If it does, it would be information overload just to find those info on the spool file. I don't know why IBM still has not come out with such a command for the As/400. The trace route logic seems to be so simple to program. It wouldn't be surprised to me that someone already wrote such a utility for the shareware or for themselves. Shawn Fu

Gary - You can get an AS/400 trace route utility at www.ignite400.org. Look under the 'Free Software' link. HTH, Steve

No we can't ping from the AS400 but if we enter the ping command on a DOS prompt on a PC we can. The PC is using client access as well. I tried to use the trace route example found on Ignite.org but I couldn't get it to work. Can't remember the error off hand,(it's been a week or so since I tried).

Gary, It may sound too obvious, but does your firewall allow your AS/400 TCP-IP address to have access to the Internet? It may not for security concerns. Additionally, can you FTP to the site from a PC? Good luck, John Panzenhagen

OK, then; Can the 400 ping itself? 127.0.0.1 is the default. bobh

Yes we can FTP from a PC. We found the log for the proxy/firewall server which shows the ftp packet traffic going to the server. However it does not let the packets thru. This only happens when I create a TCP route for my destination IP address and point it at the proxy/firewall. Can you tell me how to let the traffic thru the firewall? We are using Microsoft Proxy as the firewall.

YES We can ping the 400 itself with 127.0.0.1

Gary - I could be mistaken (it's happened before) but I believe that, if you PING 127.0.0.1, the packet does not actually go out 'on the wire' (network) but, instead PINGs to 127.0.0.1 are kept internal to your machine and are primarily used to verify that TCP/IP is running correctly internally. Perhaps one of the folks on this forum can confirm or deny this but I believe that it's true. HTH, Steve

If your PING and FTP requests are going out from the PC to the destination (trhough the wall), then I would guess your problem is either: 1) No route setup on the 400. For example, if the destination IP address is 192.168.33.14, you need to tell the 400 to go to the firewall for that address. 2) Firewall not accepting 400 packets - check your firewall rules. Can you see packets from the 40 on the f/w logs?

Packets are going to the firewall when we route them there. However the firewall is rejecting them. How do we get the firewall to accept? We are using the microsoft proxy firewall software.

I haven't used the MS Proxy Firewall, so I'm not 100% sure. I know that there needs to be a rule to let specific packets through for a particular service. Obviously, if your PC can successfully get through the 'wall, then look at the rule in control and find out if the AS/400 is allowed as well. You may need to create a new rule for the AS/400 and whatever services you need to access.