[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

PIX 6.3(3) problem - Cannot connect to external FTP from inside - recieve PORT failed (mismatch)

Posted on 2004-12-01
5
Medium Priority
?
369 Views
Last Modified: 2011-04-14
Recently upgraded my PIX 515 to version 6.3(3) from 6.2. Everything has been running fine with 1 exception: I have problems connecting to only a few specific FTP addresses now, and the firewall is the only thing I can think of that has changed. These are just standard FTP sites, running on Ports 20,21. Error log from WS_FTP Pro v.9 when trying to connect is this:

PORT 10,195,1,226,4,213
521 PORT xx.xx.78.44 mismatch 10.195.1.226
Port failed 521 PORT xx.xx.78.44 mismatch 10.195.1.226

Result of 'sho config':

: Saved
: Written by enable_15 at 18:58:53.108 EST Mon Nov 1 2004
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxx encrypted
hostname pixfirewall
domain-name XXXXX.com
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 10.195.1.103 TS4
name 10.195.1.210 H-Control2
name 10.195.1.253 H-SNA
name 10.195.5.178 Conn-VOIP-LAN
name 10.195.1.201 EDIRECALL9
name 10.195.5.100 CONNDC
name 10.195.1.198 IS032-SS
name 10.195.1.129 IS032-WEX
name 10.195.1.205 Domino
name xx.xx.54.243 TowersPerrin
name 10.195.1.243 IS032-Summit
name 10.195.1.250 RC-REMOTE
name 10.195.1.251 RC-SECURE
name 10.195.1.241 REPORTING
name 10.195.1.3 SECUREMAIL
name 10.195.1.2 EXCHANGE
name 10.195.1.245 Macro
name xx.xx.33.192 JTHOME
name 10.195.1.169 NURSE
object-group service Perl tcp
  description perl
  port-object range 40000 44999
access-list outside_cryptomap_20 permit ip host xx.xx.78.38 host TowersPerrin
access-list acl_out permit tcp any host xx.xx.78.45 eq telnet
access-list acl_out permit tcp any host xx.xx.78.37 object-group Perl
access-list acl_out permit tcp any host xx.xx.78.43 eq www
access-list acl_out permit tcp any host xx.xx.78.43 eq https
access-list acl_out permit tcp any host xx.xx.78.39 eq www
access-list acl_out permit tcp any host xx.xx.78.39 eq https
access-list acl_out permit tcp any host xx.xx.78.38 eq www
access-list acl_out permit tcp any host xx.xx.78.38 range 1024 1030
access-list acl_out permit tcp any host xx.xx.78.38 eq ftp
access-list acl_out permit tcp any host xx.xx.78.38 eq ftp-data
access-list acl_out permit tcp any host xx.xx.78.40 eq www
access-list acl_out permit tcp any host xx.xx.78.41 eq 3389
access-list acl_out permit tcp any host xx.xx.78.41 range 9000 9005
access-list acl_out permit tcp any host xx.xx.78.42 range 5566 5567
access-list acl_out permit udp any host xx.xx.78.42 range 5566 5567
access-list acl_out permit tcp any host xx.xx.78.42 eq 5004
access-list acl_out permit udp any host xx.xx.78.42 eq 5004
access-list acl_out permit tcp any host xx.xx.78.42 eq www
access-list acl_out permit ip host xx.xx.78.38 host TowersPerrin
access-list acl_out permit tcp any host xx.xx.105.146 eq https
access-list acl_out permit tcp any host xx.xx.105.145 eq www
access-list acl_out permit tcp any host xx.xx.105.145 eq https
access-list acl_out permit tcp any host xx.xx.105.147 eq www
access-list acl_out permit tcp any host xx.xx.105.147 eq https
access-list acl_out permit tcp any host xx.xx.78.36 eq smtp
access-list acl_out permit tcp any host xx.xx.78.36 eq https
access-list acl_out permit tcp any host xx.xx.105.148 eq 3390
access-list 101 permit ip 192.168.1.0 255.255.255.0 10.195.1.0 255.255.255.0
pager lines 250
logging on
logging timestamp
logging buffered informational
logging trap informational
logging host inside 10.195.1.248
mtu outside 1500
mtu inside 1500
ip address outside xx.xx.78.35 255.255.255.240
ip address inside 10.195.1.14 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool RemotePool 10.195.1.50-10.195.1.51
pdm location IS032-WEX 255.255.255.255 inside
pdm location IS032-SS 255.255.255.255 inside
pdm location Domino 255.255.255.255 inside
pdm location 192.168.1.0 255.255.255.0 inside
pdm location 10.195.1.92 255.255.255.255 inside
pdm location TS4 255.255.255.255 inside
pdm location 10.195.1.221 255.255.255.255 inside
pdm location 10.195.1.229 255.255.255.255 inside
pdm location 10.195.1.93 255.255.255.255 inside
pdm location 172.16.9.0 255.255.255.0 inside
pdm location H-Control2 255.255.255.255 inside
pdm location 10.195.5.0 255.255.255.0 inside
pdm location 10.0.0.0 255.0.0.0 inside
pdm location 10.195.6.0 255.255.255.0 inside
pdm location 192.168.0.0 255.255.0.0 inside
pdm location 10.195.2.0 255.255.255.0 inside
pdm location 10.195.3.0 255.255.255.0 inside
pdm location 10.195.4.0 255.255.255.0 inside
pdm location 192.168.223.0 255.255.255.0 inside
pdm location 198.143.195.233 255.255.255.255 inside
pdm location 198.143.195.233 255.255.255.255 outside
pdm location 198.143.195.0 255.255.255.0 inside
pdm location 90.0.0.0 255.255.255.0 inside
pdm location 90.0.0.0 255.0.0.0 inside
pdm location 192.168.2.0 255.255.255.0 inside
pdm location H-SNA 255.255.255.255 inside
pdm location 10.195.1.51 255.255.255.255 inside
pdm location 10.195.1.102 255.255.255.255 inside
pdm location 10.195.1.57 255.255.255.255 inside
pdm location Conn-VOIP-LAN 255.255.255.255 inside
pdm location EDIRECALL9 255.255.255.255 inside
pdm location CONNDC 255.255.255.255 inside
pdm location 10.195.1.162 255.255.255.255 inside
pdm location 10.195.1.177 255.255.255.255 inside
pdm location TowersPerrin 255.255.255.255 outside
pdm location 10.195.1.248 255.255.255.255 inside
pdm location IS032-Summit 255.255.255.255 inside
pdm location 10.195.9.0 255.255.255.0 inside
pdm location 10.195.10.0 255.255.255.0 inside
pdm location RC-REMOTE 255.255.255.255 inside
pdm location RC-SECURE 255.255.255.255 inside
pdm location REPORTING 255.255.255.255 inside
pdm location SECUREMAIL 255.255.255.255 inside
pdm location EXCHANGE 255.255.255.255 inside
pdm location Macro 255.255.255.255 inside
pdm location JTHOME 255.255.255.255 outside
pdm location NURSE 255.255.255.255 inside
pdm location xx.xx.78.38 255.255.255.255 outside
pdm logging informational 512
pdm history enable
arp timeout 14400
global (outside) 1 xx.xx.105.149-xx.xx.105.150 netmask 255.255.255.248
global (outside) 1 xx.xx.78.44
global (outside) 1 xx.xx.78.46
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp xx.xx.105.148 3390 Macro 3389 netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.78.39 IS032-WEX netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.78.38 IS032-SS netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.78.40 IS032-Summit netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.78.41 TS4 netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.78.43 EDIRECALL9 netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.78.37 H-Control2 netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.78.45 H-SNA netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.105.147 REPORTING netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.78.42 Conn-VOIP-LAN netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.105.145 RC-REMOTE netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.105.146 RC-SECURE netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.78.36 SECUREMAIL netmask 255.255.255.255 0 0
access-group acl_out in interface outside
route outside 0.0.0.0 0.0.0.0 xx.xx.78.33 1
route inside 10.195.2.0 255.255.255.0 10.195.1.252 1
route inside 10.195.3.0 255.255.255.0 10.195.1.252 1
route inside 10.195.4.0 255.255.255.0 10.195.1.252 1
route inside 10.195.5.0 255.255.255.0 10.195.1.252 1
route inside 10.195.6.0 255.255.255.0 10.195.1.252 1
route inside 10.195.9.0 255.255.255.0 10.195.1.252 1
route inside 90.0.0.0 255.0.0.0 10.195.1.252 1
route inside 192.168.223.0 255.255.255.0 10.195.1.252 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
url-server (inside) vendor websense host 10.195.1.162 timeout 5 protocol UDP version 4
filter url http 10.195.1.0 255.255.255.0 0.0.0.0 0.0.0.0 allow
filter url 21 10.195.1.0 255.255.255.0 0.0.0.0 0.0.0.0 allow
filter url 443 10.195.1.0 255.255.255.0 0.0.0.0 0.0.0.0 allow
http server enable
http TS4 255.255.255.255 inside
http 10.195.1.57 255.255.255.255 inside
http 10.195.1.162 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside TS4 /pix
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 12.47.223.9
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 20 set security-association lifetime seconds 2160 kilobytes 4608000
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 12.47.223.9 netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address 24.29.24.11 netmask 255.255.255.255 no-xauth no-config-mode
isakmp keepalive 10 5
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
isakmp policy 40 authentication pre-share
isakmp policy 40 encryption 3des
isakmp policy 40 hash md5
isakmp policy 40 group 2
isakmp policy 40 lifetime 86400
vpngroup RemoteTest address-pool RemotePool
vpngroup RemoteTest dns-server 10.195.1.128 10.195.1.36
vpngroup RemoteTest wins-server 10.195.1.36
vpngroup RemoteTest default-domain ss-healthcare
vpngroup RemoteTest idle-time 1800
vpngroup RemoteTest secure-unit-authentication
vpngroup RemoteTest password ********
telnet TS4 255.255.255.255 inside
telnet 10.195.1.57 255.255.255.255 inside
telnet 10.195.1.162 255.255.255.255 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
console timeout 0
terminal width 80

Thanks for any help, Experts-Exchange has always been the best place for troubleshooting!!
0
Comment
Question by:jthomas27
  • 3
  • 2
5 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 1500 total points
ID: 12717868
Are you sure it's not something in the WebSense setup?
>filter url 21 10.195.1.0 255.255.255.0 0.0.0.0 0.0.0.0 allow
0
 

Author Comment

by:jthomas27
ID: 12719817
No, that's been in place for over a year now with no problems. I've tested the FTP transfer with no policies applied to the user account, and same thing. I can authenticate to the remote FTP site, but can't see any files/directories. Get the PORT mismatch error every time I do a LIST or CHDIR.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12719914
Have you tried changing to passive ftp, or to active ftp if you're already using passive?
The client should have an option.. it could be a restriction on the remote end and not your end.
0
 

Author Comment

by:jthomas27
ID: 12721008
Tried both active and passive modes. That's what's killing me is that it's only a handfull of sites I'm having issues with. There are no other problems with the firewall, everything else has been running smooth. The only thing I can think of is that it's a problem with the PATed addresses our users show up as on the internal interface, but I get the same error for a NATed IP as well.  Ughh!
0
 

Author Comment

by:jthomas27
ID: 13622861
Problem was a combination of updated WebSense as well as updated Firewall. WebSense rules on PIX needed to be more specific, as well as the policies in the WebSense Manager.

Thanks for all your help!
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
this video summaries big data hadoop online training demo (http://onlineitguru.com/big-data-hadoop-online-training-placement.html) , and covers basics in big data hadoop .
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question