PIX and FTp problems

We have a PIX running 4.4 (5). When internal and to access the FTp server form the outside, time-out of random connections. We ave tried passive mode with no improvement.

Any other ideas?

Thank you

Brian

Not sure if this applies to you: bug CSCds48493

First thought is to upgrade the operating system at least 5.x or 6.x.

It will be useful.

Steve

Tags: Cisco Security

Similar Questions

Active FTP problem between Checkpoint and Cisco PIX

Hello

I am facing a strange problem.

Many of our customers have achieved a Checkpoint FW-1/VPN-1 4.1 SP6 (the last before NG). When they try to connect to an FTP server that is located behind a Cisco PIX firewall, they are not able to transfer data: the connection is established, the authentication to follow, but at the stage of the 'LIST' the connection 'freeze' and the user must close the FTP client.

Users are facing this problem ONLY in Active mode: passive mode works very well. Turn passive mode FTP client isn't acceptable workaround for most of my clients.

The problem seems to be related only to the firewall Cisco PIX and active FTP.

Please, what is someone encountered the same problem?

Could someone give me any help?

Thank you in advance.

Paolo

Yes it is a (global) problem, even with the last checkpoint firewalls. What happens with Active FTP, it's that each command (get, list, etc.) causes another log on the client (source port) to the server on port 21. If you run netstat from the customer you can check this for yourself.

What normally happens, with HTTP, FTP, telnet, which have are, it's that the client makes a connection to port 21, 23 etc then returns with a port source such as 1936, 1980, 3000, etc..

Connect problem with statefull firewall is they do not allow multiple sessions control port number on a destination, as well as a source port can be bound to a destination port, in this case, 21 for FTP. I Don t see it changed, an extreme security risk any time soon, since it s, someone else might be hopping session and block this type of traffic, it's what the stateful firewall are all about and FTP servers are problably the machines more pirated on the planet.

You´ve mentioned the workaround solution, unfortunately that s the only way, change your passive customers, I think that Unix/Linux customers have a problem with this, change your FTP server can also help, there are multiple servers that can be configured to disable Active FTP, I wouldn know exactly, I only network & firewall... maybe someone else can move on this...

PIX 515 DMZ problem

Hello

We have some difficulty in moving traffic in and out of a Cisco PIx 515 firewall. We use it with two demilitarized. The first DMZ has a mail in her Server (before end mail server) that communicates with a different mail server (back end mail server) inside, it is called DMZ1. The second DMZ (DMZ2) has some users who are expected to pass through the firewall to the outside and use the internet and must have access to the e-mail DMZ1 server. Inside users must be able to use the Internet and can access DMZ1. Here's the important part of our Setup.

What we were doing, we can correctly access from inside, inside users to access internet permit to join the DMZ1 e-mail server and the mail in DMZ1 server the inside. Our problem is that we are unable to browse the internet on the DMZ1 Messaging server if we put DMZ1 as gateway ip address on that server and the address ip of the DNS of the ISP is propely located on the same machine. Also, we could not do DMZ2 users browse the internet, although we allowed the www Protocol in the fromOut access list. One last question, can we do the DMZ2 a DHCP server on the interface on the PIX and do distribute ip addresses to users on that subnet only? Thanks for any help in advance.

6.3 (3) version PIX

interface ethernet0 car

Auto interface ethernet1

Auto interface ethernet2

Auto ethernet3 interface

!

ethernet0 nameif outside security0

nameif ethernet1 inside the security100

nameif ethernet2 dmz1 security50

nameif ethernet3 dmz2 security40

!

fixup protocol dns-length maximum 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol 2000 skinny

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

!

names of

!

IP outside X.Y.Z.163 255.255.255.248

IP address inside 192.168.0.9 255.255.255.0

dmz1 192.168.10.1 IP address 255.255.255.0

IP address dmz2 192.168.20.1 255.255.255.0

!

fromOut list of access permit icmp any host X.Y.Z.162 source-quench

fromOut list of access permit icmp any host X.Y.Z.162 echo-reply

fromOut list of access permit icmp any unreachable host X.Y.Z.162

fromOut list of access permit icmp any host X.Y.Z.162 time limit

fromOut list access permit tcp any host X.Y.Z.162 EQ field

fromOut list access permit tcp any host X.Y.Z.162 eq telnet

fromOut list access permit tcp any host X.Y.Z.162 eq smtp

fromOut list access permit tcp any host X.Y.Z.162 eq www

!

fromDMZ1 list of access permit tcp host 192.168.10.2 192.168.0.0 255.255.255.0

fromDMZ1 list of allowed access host ip 192.168.10.2 192.168.0.0 255.255.255.0

!

fromDMZ2 list of access allowed tcp 192.168.20.0 255.255.255.0 192.168.10.0 255.255.255.0

!

pager lines 24

!

Outside 1500 MTU

Within 1500 MTU

dmz1 MTU 1500

dmz2 MTU 1500

!

Global (outside) 1 X.Y.Z.164 netmask 255.255.255.248

Global (outside) 2 X.Y.Z.165 netmask 255.255.255.248

NAT (inside) 1 192.168.0.0 255.255.255.0 0 0

NAT (dmz1) 1 192.168.10.2 255.255.255.255 0 0

NAT (dmz2) 2 192.168.20.0 255.255.255.0 0 0

static (inside, dmz1) 192.168.0.0 192.168.0.0 netmask 255.255.255.0 0 0

static (dmz2, dmz1) 192.168.0.0 192.168.0.0 netmask 255.255.255.0 0 0

static (dmz1, external) X.Y.Z.162 192.168.10.2 netmask 255.255.255.255 0 0

!

Access-group fromOut in interface outside

Access-group fromDMZ1 in interface dmz1

Access-group fromDMZ2 in the dmz2 interface

Route outside 0.0.0.0 0.0.0.0 X.Y.Z.161 1

Hi jamil,.

There is a sentence on the URL I sent you, you can now activate dhcp option within the interface. Just check this...

REDA

Satellite L30-115 - deleted TCP and FTP packets

Hi all

I have a Toshiba Satellite L30-115 and a DSL connection. I have a problem with my laptop running Win XP SP2 with AVG anti-virus.

TCP and FTP packets are systematically deleted by Firewall setting or my system. I tried these tools that rewrite the registry entries for the TCP/IP protocol in Windows XP, but nothing seems to fix. Everything that affects the TCP fails systematically:
[My browser tells me that the connection was reset during any process, AVG says automatic updates failure but 1] I always got ping www.yahoo.fr and strangest of all, Skype connects properly (likely because it uses another protocol and also because it is in the exception list from my firewall).
Here is that I only have the native Win XP firewall and not others (license AVG, I've got is only to protect web, mail and virus).

Another thing is that the problem persists even when I turn off the firewall or if I play around with the settings.

Help, please.

Didier

Hello

Check this short work around:
Start the CMS (control console)
Then type this command: * ipconfig / renew *.

probably caused by the settings of the firewall on your computer. Check the settings for HTTP port (80), HTTPS port (443) and FTP.

Change the title: internet connection.

Unable to connect to the internet, suddenly, message that I can't connect to the internet using HTTP<>< or="" ftp.="" thios="" is="" probably="" caused="" by="" firewall="" settings="" on="" your="" computer.="" check="" settings="" for="" http="" port(80),="" https="" port(443)="" and="" ftp.="" funny="" i="" was="" just="" on="" the="" net="" not="" more="" than="" 10="" minutes="" prior="" to="" this.="" checked="" all="" conections-="" good.="" what's="" my="" next="">

Try a system restore to a Date before the problem began:

Restore point:

http://www.howtogeek.com/HOWTO/Windows-Vista/using-Windows-Vista-system-restore/

Do Safe Mode system restore, if it is impossible to do in Normal Mode.

Try typing F8 at startup and in the list of Boot selections, select Mode safe using ARROW top to go there > and then press ENTER.

Try a restore of the system once, to choose a Restore Point prior to your problem...

Click Start > programs > Accessories > system tools > system restore > choose another time > next > etc.

http://www.windowsvistauserguide.com/system_restore.htm

Read the above for a very good graph shows how backward more than 5 days in the System Restore Points by checking the correct box.

See you soon.

Mick Murphy - Microsoft partner

Access to resources on the inside and DMZ problem

Hi Techies,

I have a pix515 do remoteaccess VPN. People are able successfully to VPN in the box but are not able to access resources on the DMZ or the Interior. DMZ is directly connected to the PIX and inside is behind a CSS.

Could you people point me in the right direction please.

Thank you

Abdul, is solved your problem, have you tried suggested missing statements in your config... Let us know if any questions.

Concerning

PIX and ASA static, dynamic and RA VPN does not

Hello

I am facing a very interesting problem between a PIX 515 and an ASA 5510.

The PIX is in HQ and has several dynamic VPN connections (around 130) and IPsec vpn remote works very well. I had to add a PIX to ASA L2L VPN static and it does not work as it is supposed to be. The ASA 5510, at the remote end, connects and rest for a small period of time, however, all other VPN connections stop working.

The most interesting thing is that ASA is associated with the dynamic map and not the static map that I created (check by sh crypto ipsec his counterpart x.x.x.x). However, if I make any changes in the ACL 'ACL-Remote' it affects the tunnel between the PIX and ASA.

Someone saw something like that?

Here is more detailed information:

HQ - IOS 8.0 (3) - PIX 515

ASA 5510 - IOS 7.2 (3) - remote provider

Several Huawei and Cisco routers dynamically connected via ADSL

Several users remote access IPsec

A VPN site-to site static between PIX and ASA - does not.

Here is the config on the PIX:

Crypto ipsec transform-set ESP-3DES-ESP-SHA-HMAC-IPSec esp-3des esp-sha-hmac

Dyn - VPN game 100 Dynamics-card crypto transform-set ESP-3DES-ESP-SHA-HMAC-IPSec

Crypto dynamic-map Dyn - VPN 100 the value reverse-road

VPN - card 30 crypto card matches the ACL address / remote

card crypto VPN-card 30 peers set 20 x. XX. XX. XX

card crypto VPN-card 30 the transform-set ESP-3DES-ESP-SHA-HMAC-IPSec value

VPN crypto card - 100 - isakmp dynamic Dyn - VPN ipsec

interface card crypto VPN-card outside

crypto ISAKMP allow outside

crypto ISAKMP policy 10

preshared authentication

3des encryption

md5 hash

Group 2

life 86400

crypto ISAKMP policy 65535

preshared authentication

3des encryption

sha hash

Group 2

life 86400

access list ACL-remote ext ip 10.0.0.0 allow 255.255.255.0 192.168.1.0 255.255.255.0

Thank you.

Marcelo Pinheiro

The problem is that the ASA has a crypto acl defined between host and network, while the remote end has to the network.

Make sure that the acl is reversed.

Pix 525 hardware problem?

Hello

When powered on the pix will displays the following message and then stop start:

CISCO PIX FIREWALL SYSTEMS

BIOS version shipped 4.3.207 01/02/02 16:12:22.73

Compiled by Manu

256 MB OF RAM

PCI device table.

Bus Dev Func VendID DevID class Irq

00 00 00 8086 7192 host Bridge

00 07 00 8086 7110 ISA Bridge

00 07 01 8086 7111 IDE controller

00 07 02 8086 7112 bus Series 9

00 07 03 8086 7113 PCI Bridge

00 0D 00 8086 1209 Ethernet 11

0E 00 00 8086 1209 Ethernet 10

00 11 00 11 2F44 4 unknown device 11

What could be the problem? How to solve the problem?

Thank you

Hello

Open the PIX and inside, you find a battery. Remove the battery for a few seconds and of course unplug the unit.

Then insert the battery again and power on and you should be pointing UPWARDS.

Please rate this message if solves your problem,

Kind regards

traceroute pix 7.0 problems

Hiya,

I've updated to v7.0 (1) pix and after that, I had this problem can't traceroute out of my WAN connection. The pix connects to the internet and when I do a ping from inside outside external ip addresses, it works, but traceroute will be inaccessible after the jump of pix. Traceroute to the border immediately after the pix router. Check the logs indicated that time ICMP exceeded packet newspapers:

% 4 PIX-400015: time ID: 2005 exceeded ICMP from xxx to yyy off

I have already explicitly allow access-list out_in line 12 extended permit icmp any xxx 255.255.255.224 exceeded time

to allow packets time exceeded icmp to come in, but nothing helped. Any suggestions? Inspect the icmp is on as well

Directly from Cisco TAC:

To allow traceroute

through PIX code 7.0, we must add "inspect icmp error" in PIX configuration. Please

to implement following commands in configuration - PIX mode

--> Policy-map global_policy

--> class inspection_default

--> inspect icmp error

--> write mem

I hope this works for you too!

Router vpn site to site PIX and vpn client

I have two on one interface on the pix vpn connections that terminate VPN. client vpn and VPN site-to-site have passed phase one and two and decrypt and encrypt the packets. However as in another post I can not ping through the l2l vpn. I checked this isn't a nat problem a nd two NAT 0 on the pix and the NAT on the router access lists work correctly.

ISAKMP crypto RTR #show its
IPv4 Crypto ISAKMP Security Association
status of DST CBC State conn-id slot
66.x.x.x 89.x.x.x QM_IDLE 2001 0 ACTIVE

IPv6 Crypto ISAKMP Security Association

local ident (addr, mask, prot, port): (192.168.2.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (192.168.10.0/255.255.255.0/0/0)
current_peer 66.x.x.x port 500
LICENCE, flags is {origin_is_acl},
#pkts program: 23583, #pkts encrypt: 23583 #pkts digest: 23583
#pkts decaps: 18236, #pkts decrypt: 18236, #pkts check: 18236
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
#send 40, #recv errors 0

local crypto endpt. : 89.x.x.x, remote Start crypto. : 66.x.x.x
Path mtu 1380, ip mtu 1380, ip mtu BID Dialer0
current outbound SPI: 0xC4BAC5E (206285918)

SAS of the esp on arrival:
SPI: 0xD7848FB (225986811)
transform: aes - esp esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 3, flow_id: Motorola SEC 1.0:3, card crypto: PIX_MAP
calendar of his: service life remaining (k/s) key: (4573083/78319)
Size IV: 16 bytes
support for replay detection: Y
Status: ACTIVE

the arrival ah sas:

SAS of the CFP on arrival:

outgoing esp sas:
SPI: 0xC4BAC5E (206285918)
transform: aes - esp esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 4, flow_id: Motorola SEC 1.0:4, card crypto: PIX_MAP
calendar of his: service life remaining (k/s) key: (4572001/78319)
Size IV: 16 bytes
support for replay detection: Y
Status: ACTIVE

outgoing ah sas:

outgoing CFP sas:

Expand the IP NAT access list
10 deny ip 192.168.2.0 0.0.0.255 192.168.10.0 0.0.0.255 (21396 matches)
20 permit ip 192.168.2.0 0.0.0.255 everything (362 matches)
Expand the IP VPN_ACCESS access list
10 permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255 (39724 matches)

I looked on the internet and that it points to a routing error when packets are being encrypted and decrypted, but you can't do a ping on the binding. However when I test the connection I did not enter any of the static routes that networks are connected directly on each side of the pix and the router. any help would be a preciated as I think there's maybe something is blocking the ping to reach the internal network at the end of pix with a configured access list.

is ping failure of the only thing between the site to site VPN? and assuming that all other traffic works fine since it decrypts and encrypts the packets.

If it's just ping, then activate pls what follows on the PIX:

If it is version 6.3 and below: fixup protocol icmp

If it is version 7.0 and higher: select "inspect icmp" under your political map of the world.

Config complete hand and on the other could help determine if it's a configuration problem or another problem.

File and FTP diff b/w adapter?
What is the difference between file and FTP adapter?
(1) the file adapter is used, when the process is to read/write/list files on your local system (where your FMW server is installed and running).

(2) However, the FTP adapter is used, when the process is reading/writing/list of the files in a system essentially other than the local system (where your FMW server is installed and running) which is set up as an FTP server to access files. The system can be with your network or outside of your network.

--
Mark the detachment as "useful" or "right answer", if your problem is resolved.

GPS, Wifi and Bluetooth problems

So I have an iPhone 6 running on IOS 9.3.4 and have had problems with the GPS and the strength of wifi connectivity and bluetooth for a while now.

First of all, the GPS. It does not work. When I run the maps or google maps on my device and the input an address the app can give me a written plan, location, but will not show me on a map. He'll start road to everywhere where I go and tell me to start position, for example, to the North on the road on that I am, but the arrow does not follow me and tell me when the turn or where I am. Occasionally, he has a message of guidance down with a spinning wheel and then, after a few seconds, disappears. I tried to reboot my device several times, I have reset the network setting, I reset all of the settings, I backed up my phone, reset it and recovered save him. Nothing has worked. I was at my local verizon store and received a 'new' (its definitely refurbished) phone and the problem persists on the new phone. I reset the phone to factory setting without content, set up as a new phone and tried the cards again, thinking it might be a problem with the back to the top. It still does not work. I'm perplexed right now and do not know what to do/try.

Second, wifi and bluetooth connectivity is terrible. I can only receive a wireless signal so that in very close proximity with the router. I tried to different houses/companies and it is the same question. However, bluetooth is just as bad. I use headphones wireless, and go to the gym/go for the route with them. I used to be able to walk around the gym without my phone and have connected the headphones, but now I can't have my phone 2 feet of the appliance without the music being agitated (bad connection). I'm really irritated that I cannot understand this point and that he can't seem to find a fixed solution online.

If you have just updated to iOS 9.3.4, which I didn't even know still shone, so maybe it's a bug that comes with the update. However, your problems seem to follow a trend, you can not far from a source of connection and now a signal. It is perhaps because the necessary components for the Bluetooth, GPS and WiFi signal are damaged or defective. Have you dropped or spilled liquid on your iPhone recently?

My Firefox exit and gives a "not responding" message once I used Google Mail. I tried to boot into "safe" mode and the problem persists.

I have a question where Firefox wont ' quit and give a message "not responding" after I've been using Google Mail. It works fine when I'm not using this program. I tried Safe Mode and the problem still happens when I go on Google Mail, so it is not connected with modules, extensions, etc.

Hello

The reset Firefox feature can solve a lot of problems in restaurant Firefox to its factory default condition while saving your vital information.

Note: This will make you lose all the Extensions and preferences.
- Sites Web open is not recorded in less than 25 versions of Firefox.
To reset Firefox, perform the following steps:
1. Go to Firefox > help > troubleshooting information.
2. Click on the button 'Reset Firefox'.
3. Firefox will close and reset. After Firefox is finished, it will display a window with the imported information. Click Finish.
4. Firefox opens with all the default settings applied.
Information can be found in the article Firefox Refresh - reset the settings and Add-ons .

This solve your problems? Please report to us!

Thank you.

Fields on several Internet sites have been changed in another language. The browser is set to English, and this problem does not occur with Chrome.

Fields on several Internet sites have been changed in another language. The browser is set to English, and this problem does not occur with Chrome. Specifically, a large part of Tumblr and Facebook menu has been changed in another language (Russian, I think). I tried reinstall Firefox, clear the cache and reset firefox to its default state. None of them helped. Any suggestions on how to fix this?

Hey again,

Sometimes a problem with Firefox can be a result of malware installed on your computer, you may not be aware of.

You can try these free programs to search for malicious software that work with your existing anti-virus software:
Microsoft Security Essentials is a good permanent antivirus for Windows 7/Vista/XP, if you do not already have one.

More information can be found in the article troubleshooting Firefox problems caused by malware .

I hope this helps!

Curtis

I bought my iPhone 5 s by T-Mobile and 2 months left to purchase. My phone don't get re will not charge. Support Apple says this isn't the phone and replace the cable. This was done and the problem remains. Anyone who has experience of this pro

I bought my iPhone 5 s by T-Mobile and have 2 months left on the purchase. My phone no longer accepts a new presentation. Apple support ran a diagnostic and said it isn't the phone and that I should replace the cable. This was done and the problem remains. Everyone has to experience this problem? And, if so, what was the problem?

He likely is the phone, but you do Apple physically inspect it. Send it or take it to the Genius Bar. You can do one or the other of http://getsupport.apple.com.

PIX and FTp problems

Similar Questions

Maybe you are looking for