wrt160n with cisco pix and isa server 2004 config

Similar Questions

• Problem with ssl on ISA Server 2004 traffic shaping

  Hello

  I use "Bandwidthsplitter" addon for ISA Server 2004 (Enterprise Edition) for shaping traffic and quota control. I have a serious problem with it. This addon does not take into account the ssl traffic user, and I need to restart the Microsoft ISA Server priodically Control Service or allow the users to be connected via ssl until they themselves kill their session.

  I will be grateful if someone help me to solve this problem.

  Thanks in advance

  Bijan

  Hello

  The question you posted would be better suited to the TechNet community. Please visit the link below to find a community that will support what ask you

  http://social.technet.Microsoft.com/forums/en-us/Forefrontedgegeneral/threads

• Help with Cisco PIX 506th

  I need help setting up a Cisco PIX 506th Version 6.3 (5)

  I use the PDM to configure the device, because I don't know enough of CLI. I want to just the simplest of configurations.

  Here is what is happening, I set up then I hang the Interface 1 to my laptop and use DHCP to get an ip address, but I can't get out to the internet like that. Thanks PDM tools, I can ping outside the IPS very well.

  6.3 (5) PIX version
  interface ethernet0 car
  Auto interface ethernet1
  ethernet0 nameif outside security0
  nameif ethernet1 inside the security100
  activate the encrypted password of DkreNA9TaOYv27T8
  c4EBnG8v5uKhu.PA encrypted passwd
  hostname EWMS-PIX-630
  domain ciscopix.com
  fixup protocol dns-length maximum 512
  fixup protocol ftp 21
  fixup protocol h323 h225 1720
  fixup protocol h323 ras 1718-1719
  fixup protocol http 80
  fixup protocol rsh 514
  fixup protocol rtsp 554
  fixup protocol sip 5060
  fixup protocol sip udp 5060
  fixup protocol 2000 skinny
  fixup protocol smtp 25
  fixup protocol sqlnet 1521
  fixup protocol tftp 69
  names of
  object-group service udp test
  port-object eq isakmp
  inside_access_in ip access list allow a whole
  access-list inside_access_in allow a tcp
  access-list inside_access_in allow icmp a whole
  Allow Access-list inside_access_in esp a whole
  inside_access_in tcp allowed access list all eq www everything
  inside_outbound_nat0_acl list of permitted access interface ip inside 10.10.10.96 255.255.255.240
  inside_outbound_nat0_acl ip access list allow any 10.10.10.192 255.255.255.224
  pager lines 24
  timestamp of the record
  recording of debug trap
  host of logging inside the 10.10.10.13
  Outside 1500 MTU
  Within 1500 MTU
  IP outdoor 75.146.94.109 255.255.255.248
  IP address inside 10.10.10.250 255.255.255.0
  alarm action IP verification of information
  alarm action attack IP audit
  location of PDM 10.10.10.1 255.255.255.255 inside
  location of PDM 10.10.10.13 255.255.255.255 inside
  location of PDM 10.10.10.253 255.255.255.255 inside
  location of PDM 75.146.94.105 255.255.255.255 inside
  location of PDM 75.146.94.106 255.255.255.255 inside
  location of PDM 10.10.10.96 255.255.255.240 outside
  location of PDM 10.10.10.192 255.255.255.224 outside
  PDM logging 100 information
  history of PDM activate
  ARP timeout 14400
  NAT (inside) 0-list of access inside_outbound_nat0_acl
  NAT (inside) 0 0.0.0.0 0.0.0.0 0 0
  inside_access_in access to the interface inside group
  Route outside 0.0.0.0 0.0.0.0 75.146.94.110 1
  Timeout xlate 0:05:00
  Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225
  H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00
  Sip timeout - disconnect 0:02:00 prompt Protocol sip-0: 03:00
  Timeout, uauth 0:05:00 absolute
  GANYMEDE + Protocol Ganymede + AAA-server
  AAA-server GANYMEDE + 3 max-failed-attempts
  AAA-server GANYMEDE + deadtime 10
  RADIUS Protocol RADIUS AAA server
  AAA-server RADIUS 3 max-failed-attempts
  AAA-RADIUS deadtime 10 Server
  AAA-RADIUS (inside) host 10.10.10.1 server timeout 10
  AAA-server local LOCAL Protocol
  Enable http server
  http 10.10.10.0 255.255.255.0 inside
  No snmp server location
  No snmp Server contact
  SNMP-Server Community public
  No trap to activate snmp Server
  enable floodguard
  Permitted connection ipsec sysopt
  Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
  ISAKMP allows outside
  ISAKMP peer ip 206.196.18.227 No.-xauth No.-config-mode
  ISAKMP nat-traversal 20
  ISAKMP policy 20 authentication rsa - sig
  encryption of ISAKMP policy 20
  ISAKMP policy 20 md5 hash
  20 1 ISAKMP policy group
  ISAKMP duration strategy of life 20 86400
  part of pre authentication ISAKMP policy 40
  encryption of ISAKMP policy 40
  ISAKMP policy 40 md5 hash
  40 2 ISAKMP policy group
  ISAKMP duration strategy of life 40 86400
  ISAKMP policy 60 authentication rsa - sig
  encryption of ISAKMP policy 60
  ISAKMP policy 60 md5 hash
  60 2 ISAKMP policy group
  ISAKMP strategy life 60 86400
  Telnet 10.10.10.0 255.255.255.0 inside
  Telnet timeout 5
  SSH timeout 5
  Console timeout 0
  dhcpd address 10.10.10.2 - 10.10.10.5 inside
  dhcpd dns 68.87.72.130
  dhcpd lease 3600
  dhcpd ping_timeout 750
  dhcpd allow inside
  btork encrypted Ww3clvi.ynWeGweE privilege 15 password username
  vpnclient Server 10.10.10.1
  vpnclient-mode client mode
  vpnclient GroupA vpngroup password *.
  vpnclient username btork password *.
  Terminal width 80
  Cryptochecksum:5ef06e69c17b6128e1778e988d1b9f5d
  : end
  [OK]

  any HEP would be appreciated.

  Brian

  Brian

  NAT is your problem, IE.

  NAT (inside) 0-list of access inside_outbound_nat0_acl
  NAT (inside) 0 0.0.0.0 0.0.0.0 0 0

  presumanly first NAT is fot your good VPN that acl looks a little funny, what exactly are you doing with that?

  The second NAT is the real problem but for outgoing internet access - the NAT statement, you said not NAT one of your addresses 10.10.10.x which is a problem as 10.x.x.x address is not routable on the Internet.

  You must change this setting IE. -

  (1) remove the second NAT statement IE. "no nat (inside) 0 0.0.0.0 0.0.0.0.

  (2) add a new statement of NAT - ' nat (inside) 1 0.0.0.0 0.0.0.0.

  (3) add a corresponding statement global - global (outside) 1 interface.

  This will be PAT all your 10.10.10.x to external IP addresses.

  Apologies, but these are some CLI commands that I don't use PDM.

  Jon

• Problem with Cisco ACS and different areas

  Hello

  We are conducting currently a problem with Cisco ACS that we put in place, and I'll try to describe:

  We have ACS related directory AD areas, where we have 2 domains and appropriate group mappings.

  Then we have our Cisco switches with the following configuration,

  AAA new-model

  AAA-authentication failure message ^ CCCC

  Failled to authenticate!

  Please IT networks Contact Group for more information.

  ^ C

  AAA authentication login default group Ganymede + local

  AAA authorization exec default group Ganymede + local

  AAA authorization network default group Ganymede + local

  AAA accounting exec default start-stop Ganymede group.

  orders accounting AAA 15 by default start-stop Ganymede group.

  !

  AAA - the id of the joint session

  But the problem is that with the users in a domain, we can authenticate, but not the other. Basically, the question is that when we check on the past of authentication, two authentications are passage and the display of 'Authentic OK', but on the side of the switch, there is a power failure.

  There may be something wrong with the ACS?

  Thank you

  Jorge

  Try increasing the timeout on IOS device using radius-server timeout 10.

  Do we not have journaling enabled on the ACS server remotely?

  -Philou

• What is the problem with Distiller? and Distiller Server?

  I used to use distiller to make my PDFs a smaller size file more optimized. A few months ago we have updated CS4, well everything that was before any version of CS. So for these last months, I had no problems at all making it reasonable size/quality PDF directly from ID... Yes, so I still want to know, is at - it not necessary at all for distilling make file sizes even smaller than the straight lines of ID?... or I just think, all these parameters are avilable in export ID.

  .. do you a large volume in which to use Distiller Server? Does this sound right?

  Adobe actually deal with enourages users to use the direct-to-PDF route without distilling since it is a richer conversion. Distiller is used via Microsoft Agent (and the PDF Maker) as another method of creating PDF files (via postscript [and sidecar with PDF Maker]) and indeed, sometimes professional users who need to distill server for a large number of operations of PDF creation.

  Distiller Server is not available for Mac.

  Jon

• Problem with IPSEC tunnel between Cisco PIX and Cisco ASA

  Hi all!

  Have a strange problem with one of our tunnel ipsec for one of our customers, we can open the tunnel of the customers of the site, but not from our site, don't understand what's wrong, if it would be a configuration problem should can we not all up the tunnel.

  On our side as initiator:

  Jan 14 13:53:26 172.27.1.254% PIX-7-702208: ISAKMP Phase 1 Exchange started (local 1.1.1.1 (initiator), remote 2.2.2.2)

  Jan 14 13:53:26 172.27.1.254% PIX-7-702210: Exchange of ISAKMP Phase 1 is complete (local 1.1.1.1 (initiator), remote 2.2.2.2)

  Jan 14 13:53:26 172.27.1.254% 6-PIX-602202: ISAKMP connected session (local 1.1.1.1 (initiator), remote 2.2.2.2)

  Jan 14 13:53:26 172.27.1.254% PIX-6-602201: Phase 1 ISAKMP Security Association created (local 1.1.1.1/500 (initiator), 2.2.2.2/500 remotely, authentication = pre-action, encryption = 3DES-CBC, hash = SHA, group = 2, life = 86400 s)

  Jan 14 13:53:26 172.27.1.254% PIX-7-702209: ISAKMP Phase 2 Exchange started (local 1.1.1.1 (initiator), remote 2.2.2.2)

  Jan 14 13:53:26 172.27.1.254% PIX-7-702201: ISAKMP Phase 1 delete received (local 1.1.1.1 (initiator), remote 2.2.2.2)

  Jan 14 13:53:26 172.27.1.254% PIX-6-602203: ISAKMP disconnected session (local 1.1.1.1 (initiator), remote 2.2.2.2)

  Jan 14 13:53:56 172.27.1.254% PIX-7-702303: sa_request, CBC (MSG key in English) = 1.1.1.1, dest = 2.2.2.2, src_proxy = 172.27.1.10/255.255.255.255/0/0 (type = 1), dest_proxy = 192.168.100.18/255.255.255.255/0/0 (type = 1), Protocol is ESP transform = lifedur hmac-sha-esp, esp-3des 28800 = s and 4608000 Ko, spi = 0 x 0 (0), id_conn = 0, keysize = 0, flags = 0 x 4004

  The site of the customer like an answering machine:

  14 jan 11:58:23 172.27.1.254% PIX-7-702208: ISAKMP Phase 1 Exchange started (local 1.1.1.1 (answering machine), 2.2.2.2 remote)

  14 jan 11:58:23 172.27.1.254% PIX-7-702210: Exchange of ISAKMP Phase 1 is complete (local 1.1.1.1 (answering machine), 2.2.2.2 remote)

  14 jan 11:58:23 172.27.1.254% 6-PIX-602202: ISAKMP connected session (local 1.1.1.1 (answering machine), 2.2.2.2 remote)

  14 jan 11:58:23 172.27.1.254% PIX-6-602201: Phase 1 ISAKMP Security Association created (local 1.1.1.1/500 (answering machine), distance 2.2.2.2/500, authentication = pre-action, encryption = 3DES-CBC, hash = MD5, group = 1, life = 86400 s)

  14 jan 11:58:23 172.27.1.254% PIX-7-702209: ISAKMP Phase 2 Exchange started (local 1.1.1.1 (answering machine), 2.2.2.2 remote)

  14 jan 11:58:23 172.27.1.254% PIX-6-602301: its created, (his) sa_dest = 2.2.2.2, sa_prot = 50, sa_spi = 0x9de820bd (2649235645) sa_trans = sa_conn_id of hmac-sha-esp, esp-3des = 116

  14 jan 11:58:23 172.27.1.254% PIX-7-702211: Exchange of ISAKMP Phase 2 is complete (local 1.1.1.1 (answering machine), 2.2.2.2 remote)

  Jan 14 12:28:54 172.27.1.254% PIX-6-602302: SA deletion, (his) sa_dest = 2.2.2.2, sa_prot = 50, sa_spi = 0x9de820bd (2649235645), sa_trans = esp-3desesp-sha-hmac, sa_conn_id = 116

  Kind regards

  Johan

  From my experience when a tunnel is launched on one side, but it is not on the other hand, that the problem is with an inconsistency of the isakmp and ipsec policies, mainly as ipsec policies change sets and corresponding address with ASA platform when a tunnel is not a statically defined encryption card he sometimes use the dynamic tag to allocate this vpn connection. To check if this is the case go ahead and make a "crypto ipsec to show his" when the tunnel is active on both sides, see on the SAA if the corresponding tunnel is the static encryption card set or if it presents the dynamic encryption card.

  I advise you to go to the settings on both sides and ensure that they are both in the opposite direction.

• Ethernet VMware with Cisco EtherChannel and Trunking Question

  Hello

  Trying to get our etherchannels works correctly with our network administrator. Here is our config with a few questions.

  1. as it is to create the trunk between switch and host directly, can I use spanning tree portfast chest edge ?

  2. when don't we use no ip address and when not for this configuration? I see online showing examples with and without it.

  3. in some articles, he described in access mode , while in others he said dot1q trunk mode. See here for the access mode. Admin think it should use dot1q.

  4 Etherchannel is fully support and preferred extending from links on maps, right? Not all of the links on the same card?

  5 is this the case in order to change the load balancing algorithm in vmware first or first to the work of cisco? I did first vmware. (IP-hash)

  It's on a series with 4 cards/blades 6500 switch.

  !
  interface Port-channel200
   switchport
   switchport access vlan 81
   switchport trunk encapsulation dot1q
   switchport trunk allowed vlan 69,81,172,896
   switchport mode trunk
   switchport nonegotiate
  !
  interface GigabitEthernet2/35
   switchport
   switchport access vlan 81
   switchport trunk allowed vlan 69,81,172,896
   switchport mode trunk
   switchport nonegotiate
   spanning-tree portfast edge
   channel-group 200 mode on
  !
  interface GigabitEthernet8/10
   switchport
   switchport access vlan 81
   switchport trunk encapsulation dot1q
   switchport trunk allowed vlan 69,81,172,896
   switchport mode trunk
   switchport nonegotiate
   spanning-tree portfast edge
   channel-group 200 mode on
  

  DITGUY2012 wrote:

  Wow Josh. If only you had written documentation. That's the trouble with him. People like me get final instructions, because we're not the guys from network 24 x 7. Great documentation would be layout, the reasons to go this way or that way you did just. That being said, here's my summary based on this discussion.

  1. we have several VLANS that descends from 3 links on the etherchannel. Thus, we should use mode trunk because there is not a single.

  2. we have an another etherchannel with just 1 vlan (vmotion), but in all of two links. This should be the access mode. Or is it still trunk because it's the multiple links?

  3. I don't know what crash dump logger is, or how it applies to my situation.

  4. I saw the bpduguard setting before what exactly is the syntax to use for us? 6500 series.

  5. I don't know if our switch would deliver on that port. How can I tell? At this moment I have switchport setting in there.

  Thank you!

  No problem for reference, the other question of documentation is one of the languages. Their word etherchannel on HP networking hardware, 'trunk' and has nothing to do with the discussion of port "access vs circuit", which they call "tag unidentified vs.

  1 Yes

  2. you would certainly make an access port.

  3. If your server never begins to have a problem with break, VMware can a copy of the accident for the debug log. You can see an article on setting up here: put in place the collector of Dump ESXi 5.0 | VMware vSphere Blog - VMware Blogs.

  4 I'm sorry I'm not familiar with this model

  5. I think if the switchport parameter is here and connectivity seems to work, you can consider yourself safe

• IPsec VPN with Cisco AnyConnect and 1921 ISR G2 router

  Hello

  Is it possible to establish a remote access VPN IPSec using Cisco Anyconnect client with router Cisco ISR G2 1921.

  If someone does share it please the sample configuration. as I've been on this topic since last week a.

  My Cisco rep recommended I have not try AnyConnect a router ISR or ASR.  So I used an Open Source client.  Don't say that AnyConnect won't work, just the route I took on my project.  I work good known configuration for a 1921 with strongSwan as a Client.  It is with IPSEC and IKEV2 using certificates for authentication.

• C220 M3 with Cisco VIC and shipped 1 g?

  Hello

  We have a pair of servers C220 M3 that we connected to a pair of tissue (6248) for the management of single wire through the VIC in 1225.  We also operate two 1 GB embedded cards, but it is a Windows 2012 bare metal server and does not see the additional interfaces.  The interfaces appear and connected to the switch downstream, so we know that they are enabled.  However, the operating system does not see the interfaces.  We have come the matrix compat for drivers, but it's as if the interfaces are not presented to the OS.

  I wanted to just make sure there isn't something else with wire management simple which "prevents" the operating system on the server to use these interfaces?

  Thank you

  Hello

  It is correct. I have not tried this option by myself, but it's something that can be tried would work.

  -

  Siva

• Log InSight can work with Cisco Catalyst and Nexus devices?

  Hi guys,.

  someone at - it use Log Insight for catalyst devices and Nexus?

  Yes, the Insight journal will work with all the unstructured data sent via the syslog Protocol. Support for devices Cisco remote log to a syslog destination shipping as newspaper Insight.

• RAC with Oracle VM and Windows Server

  Hi all,
  
  We want to implement the system with Oracle database 11g or 10g 64 bit (CARS) on the OS of Microsoft Server 2008/2003. We do not have enough licenses for all the hearts, and we want to find a way to implement the RAC database with existing licenses.
  
  Is this a good solution to use virtualization, as Oracle VM?
  How much is safe to use virtualization?
  Can we do Oracle Real Application Clusters (RAC) environments Oracle VM with Windows Server 2008 64-bit (or 2003 Server) operating system and use hard partition?
  Is it better to invest in licenses or try with Oracle VM?
  
  
  Oracle VM can be configured so that it is recognized as a difficult score.
  Hard partitions allow customers of one license these CPU used by the partition instead of license all the processors on the physical server.
  Source: oracle.com
  
  
  Thank you!

  Virtualization is not certified for Oracle RAC on Windows.

  + Software on Oracle VM [464754.1 ID] + notes States certified:

  Oracle Real Application Clusters (RAC)
  
      Oracle 10.2.0.4 and up (10gR2) and 11.1.0.7 and up (11gR1) and 11gR2 RAC for Linux x86 and Linux x86_64 certified on Oracle VM
          Guest OS: Oracle Linux 5.1 (and above) RHEL 5.1 (and above) for Linux x86 / Linux x86_64
          Paravirtualized (PV) mode only (Guest OS and drivers)
          Only supported on Oracle VM 2.1.2 and above
          Live-migration of an Oracle RAC VM is supported with Oracle VM 2.2.1 and above.
          Previous versions are not supported. Please refer to this link for best practices.
  
          Over-committing CPUs is not recommended, but supported with the following restrictions:
              The total amount of VCPUs allocated to guest domains (running Oracle RAC guests), should not exceed
              two times (2x) the amount of real CPUs / cores in the Oracle VM server.
              The amount of VCPUs allocated to a single guest domain should not exceed the amount of real CPUs /
              cores in the Oracle VM server.
              Maintain Oracle VMs default VCPU allocation for dom-0: Oracle VM will allocate 1 VCPU for each real CPU or core to dom-0.
              CPU pinning is only recommended for hard partitioning. If no hard partitioning is required, CPU pinning should not be used.
  
          Static support only (dynamic support is being planned):
              Dynamic resizing of guest virtual machine is not supported (VCPU, memory and I/O)
              Virtual Machine Pause/Restore of an active Real Application Cluster virtual machine is not supported. 
  

• My PC will not repair or install an operating system. I tried with Vista, 7 and Windows Server 2008 installation media, but it does not get as much as the first menu.

  As it is said above. Everything worked fine until a few days ago. Now, it will fail to start correctly wih STOP 0 x 00000024 (ntfs corruption), but I can't boot from any installation media to reinstall the OS or repair Vista. All I get is the wallpaper but no menu. I tried to unplug the SATA HDD and inserting an IDE drive with no effect.

  I can't start to BACK among the several start-up/repair CD I tried but I am unable to boot from a DVD of Windows XP PE (BartPE or Hiren boot CD), but I can boot Knoppix Linux (5.3.1 and 6.4.3).

  All I want to do is run chkdsk /r and then either to repair or install a new OS to make it work again.

  Any thoughts?

  Dave

  Hi Dave,.

  You can read the following article which talks about the same issue:

  Error message in Windows 2000: "Stop 0 x 24 ' or «NTFS_FILE_SYSTEM»

  Note: The steps mentioned in the article apply to Windows Vista n 7, so operating systems.

  1. do you have the original supplied with the computer disks?

  2 have you tried to use the original Vista disks?

• Problems with oracle apex and http server

  I have Oracle Apex 3.2 running with the hen Oracle 10 g. OSH I load large pages... some pages are not completely made... There is the incomplete source code when certain pages are generated...
  
  This causes things like the hidden tag that contains the md5 for the page auditor would not generate correctly...
  
  check out this [http://img444.imageshack.us/i/error2le.png/]
  
  
  And it causes the repercussion in the process DML:
  
  check out this [http://img715.imageshack.us/i/error1d.png/]
  
  Edited by: Juan David Palacios on June 9, 2010 08:24
  
  Edited by: Juan David Palacios on June 9, 2010 09:44
  
  Edited by: Juan David Palacios on June 10, 2010 05:57

  Can I update pl/sql tollkit after installation of apex 3.2?

  Following the instructions in the README file. TXT as described in the documentation, Yes.

• Problem with Windows 7 and Vista Dual Boot Config

  Hello all hope someone can help I'm currently decided to create a duel using Windows 7 boot configuration and windows vista here is the problem 7 in dock on the c drive and vista is on the d boot in 7 this info is correct, however vista boot indeed quite the oppsite it says its installed on drive c and 7 d , I tried edit the drive letters using the vista registry would notboot had to repair using sys restore... to end

  Hi Madril,

  Thanks for posting this question in the Microsoft Community.

  Could you give us little answers so that we can have a better understanding of the issue?

  1. you are trying to boot Vista on Windows 7? If this is the case, I suggest that it will not work.

  2 you both fill the operating system installed?

  I would like to inform you that when you start in Windows Vista or Windows 7 regardless of the drive, they can be installed, Windows display readers primaries than C. Drive C is always reserved for Windows. That's why Windows it will show that the C drive.

  If the dual boot works fine, you don't have to worry about what.

  You can also format the hard drive, create two different partitions and then start Vista in a drive and Windows 7 in another. You can also go through the article on multiboot and check if it helps.

  Hope this helps and provide us more information if you need more assistance. We will be happy to help you.

• Active FTP problem between Checkpoint and Cisco PIX

  Hello

  I am facing a strange problem.

  Many of our customers have achieved a Checkpoint FW-1/VPN-1 4.1 SP6 (the last before NG). When they try to connect to an FTP server that is located behind a Cisco PIX firewall, they are not able to transfer data: the connection is established, the authentication to follow, but at the stage of the 'LIST' the connection 'freeze' and the user must close the FTP client.

  Users are facing this problem ONLY in Active mode: passive mode works very well. Turn passive mode FTP client isn't acceptable workaround for most of my clients.

  The problem seems to be related only to the firewall Cisco PIX and active FTP.

  Please, what is someone encountered the same problem?

  Could someone give me any help?

  Thank you in advance.

  Paolo

  Yes it is a (global) problem, even with the last checkpoint firewalls. What happens with Active FTP, it's that each command (get, list, etc.) causes another log on the client (source port) to the server on port 21. If you run netstat from the customer you can check this for yourself.

  What normally happens, with HTTP, FTP, telnet, which have are, it's that the client makes a connection to port 21, 23 etc then returns with a port source such as 1936, 1980, 3000, etc..

  Connect problem with statefull firewall is they do not allow multiple sessions control port number on a destination, as well as a source port can be bound to a destination port, in this case, 21 for FTP. I Don t see it changed, an extreme security risk any time soon, since it s, someone else might be hopping session and block this type of traffic, it's what the stateful firewall are all about and FTP servers are problably the machines more pirated on the planet.

  You´ve mentioned the workaround solution, unfortunately that s the only way, change your passive customers, I think that Unix/Linux customers have a problem with this, change your FTP server can also help, there are multiple servers that can be configured to disable Active FTP, I wouldn know exactly, I only network & firewall... maybe someone else can move on this...