Sure here is my config:

Current configuration : 12313 bytes

!

version 12.4

service timestamps debug datetime localtime

service timestamps log datetime localtime show-timezone

service password-encryption

!

hostname -2801

!

boot-start-marker

boot-end-marker

!

logging message-counter syslog

logging buffered 4096

!

aaa new-model

!

!

aaa authentication login userauthen group radius local

aaa authorization network groupauthor local

!

!

aaa session-id common

clock timezone est -5

clock summer-time zone recurring last Sun Mar 2:00 1 Sun Nov 2:00

dot11 syslog

ip source-route

!

!

ip dhcp excluded-address 172.19.3.129 172.19.3.149

ip dhcp excluded-address 172.19.10.1 172.19.10.253

ip dhcp excluded-address 172.19.3.140

ip dhcp excluded-address 172.19.3.133

ip dhcp ping timeout 900

!

ip dhcp pool DHCP

   network 172.19.3.128 255.255.255.128

   default-router 172.19.3.129

   domain-name domain.local

   netbios-name-server 172.19.3.7

   option 66 ascii 172.19.3.225

   dns-server 172.19.3.140 208.67.220.220 208.67.222.222

!

ip dhcp pool VoiceDHCP

   network 172.19.10.0 255.255.255.0

   default-router 172.19.10.1

   dns-server 208.67.220.220 8.8.8.8

   option 66 ascii 172.19.10.2

   lease 2

!

!

ip cef

ip inspect name SDM_LOW cuseeme

ip inspect name SDM_LOW dns

ip inspect name SDM_LOW ftp

ip inspect name SDM_LOW h323

ip inspect name SDM_LOW https

ip inspect name SDM_LOW icmp

ip inspect name SDM_LOW imap

ip inspect name SDM_LOW pop3

ip inspect name SDM_LOW netshow

ip inspect name SDM_LOW rcmd

ip inspect name SDM_LOW realaudio

ip inspect name SDM_LOW rtsp

ip inspect name SDM_LOW esmtp

ip inspect name SDM_LOW sqlnet

ip inspect name SDM_LOW streamworks

ip inspect name SDM_LOW tftp

ip inspect name SDM_LOW tcp

ip inspect name SDM_LOW udp

ip inspect name SDM_LOW vdolive

no ip domain lookup

ip domain name domain.local

!

multilink bundle-name authenticated

!

!

!

key chain key1

key 1

   key-string 7 06040033484B1B484557

!

crypto pki trustpoint TP-self-signed-3448656681

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-3448656681

revocation-check none

rsakeypair TP-self-signed-3448656681

!

!

!

!

username admin privilege 15 password

archive

log config

  hidekeys

!

!

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key xxxxx address XXXXXXX

crypto isakmp key XXXXXXX address XXXXXXX

crypto isakmp keepalive 40 5

crypto isakmp nat keepalive 20

!

crypto isakmp client configuration group VPN

key XXXXXXX

dns 172.19.3.140

wins 172.19.3.140

domain domain.local

pool VPN_Pool

acl 198

crypto isakmp profile VPNClient

   description VPN clients profile

   match identity group VPN

   client authentication list userauthen

   isakmp authorization list groupauthor

   client configuration address respond

!

!

crypto ipsec transform-set myset esp-3des esp-md5-hmac

!

crypto dynamic-map Dynamic 5

set transform-set myset

set isakmp-profile VPNClient

qos pre-classify

!

!

crypto map VPN 10 ipsec-isakmp

set peer XXXXXXX

set transform-set myset

match address 101

qos pre-classify

crypto map VPN 20 ipsec-isakmp

! Incomplete

set peer XXXXXXX

set transform-set myset

match address 103

crypto map VPN 65535 ipsec-isakmp dynamic Dynamic

!

!

!

!

track 123 ip sla 1 reachability

delay down 15 up 10

!

class-map match-any VoiceTraffic

match protocol rtp audio

match protocol h323

match protocol rtcp

match access-group name VOIP

match protocol sip

class-map match-any RDP

match access-group 199

!

!

policy-map QOS

class VoiceTraffic

    bandwidth 512

class RDP

    bandwidth 768

policy-map MainQOS

class class-default

    shape average 1500000

  service-policy QOS

!

!

!

!

interface FastEthernet0/0

description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$$FW_INSIDE$

ip address 172.19.3.129 255.255.255.128

ip inspect SDM_LOW in

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet0/0.10

description $ETH-VoiceVLAN$$

encapsulation dot1Q 10

ip address 172.19.10.1 255.255.255.0

ip inspect SDM_LOW in

ip nat inside

ip virtual-reassembly

!

interface FastEthernet0/1

description "Comcast"

ip address Public IP 255.255.255.248

ip access-group 102 in

ip inspect SDM_LOW out

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto map VPN

!

interface Serial0/1/0

description "Verizon LEC Site ID"

bandwidth 1536

no ip address

encapsulation frame-relay IETF

frame-relay lmi-type ansi

!

interface Serial0/1/0.1 point-to-point

bandwidth 1536

ip address XXXXXXX 255.255.255.252

ip access-group 102 in

ip verify unicast reverse-path

ip inspect SDM_LOW out

ip nat outside

ip virtual-reassembly

frame-relay interface-dlci 500 IETF  

crypto map VPN

service-policy output MainQOS

!

interface Serial0/2/0

description "Verizon ID) "

ip address XXXXXXX 255.255.255.252

ip access-group 102 in

ip inspect SDM_LOW out

ip nat outside

ip virtual-reassembly

encapsulation ppp

crypto map VPN

service-policy output MainQOS

!

ip local pool VPN_Pool 172.20.3.130 172.20.3.254

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 XXXXXXX track 123

ip route 0.0.0.0 0.0.0.0 XXXXXXX 254

ip route 107.0.197.20 255.255.255.255 XXXXXXX

ip route 208.67.220.220 255.255.255.255 XXXXXXX

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip flow-top-talkers

top 20

sort-by bytes

!

ip nat inside source route-map COMCAST interface FastEthernet0/1 overload

ip nat inside source route-map PAE interface Serial0/2/0 overload

ip nat inside source route-map VERIZON interface Serial0/1/0.1 overload

ip nat inside source static 172.19.3.133 12.12.12.12

!

ip access-list extended VOIP

permit ip 172.20.3.0 0.0.0.127 host 172.19.3.190

permit ip host 172.19.3.190 172.20.3.0 0.0.0.127

!

ip radius source-interface FastEthernet0/0

ip sla 1

icmp-echo 208.67.220.220 source-interface FastEthernet0/1

timeout 10000

frequency 15

ip sla schedule 1 life forever start-time now

access-list 23 permit 172.19.3.0 0.0.0.127

access-list 23 permit 172.19.3.128 0.0.0.127

access-list 23 permit 173.189.251.192 0.0.0.63

access-list 23 permit 107.0.197.0 0.0.0.63

access-list 23 permit 173.163.157.32 0.0.0.15

access-list 23 permit 72.55.33.0 0.0.0.255

access-list 23 permit 172.19.5.0 0.0.0.63

access-list 100 remark "Outgoing Traffic"

access-list 100 remark CCP_ACL Category=17

access-list 100 deny   ip 67.128.87.156 0.0.0.3 any

access-list 100 deny   ip host 255.255.255.255 any

access-list 100 deny   ip 127.0.0.0 0.255.255.255 any

access-list 100 permit tcp host 172.19.3.190 any eq smtp

access-list 100 permit tcp host 172.19.3.137 any eq smtp

access-list 100 permit tcp any host 66.251.35.131 eq smtp

access-list 100 permit tcp any host 173.201.193.101 eq smtp

access-list 100 permit tcp any any eq ftp

access-list 100 permit ip any any

access-list 101 permit ip 172.19.3.128 0.0.0.127 172.19.3.0 0.0.0.127

access-list 101 permit ip 172.20.3.128 0.0.0.127 172.19.3.0 0.0.0.127

access-list 101 permit ip 172.19.3.128 0.0.0.127 host 172.19.250.10

access-list 101 permit ip 172.19.3.128 0.0.0.127 host 172.19.250.11

access-list 101 permit tcp any any eq ftp

access-list 101 permit tcp any any eq ftp-data

access-list 101 permit ip 172.19.3.128 0.0.0.127 host 172.19.5.64

access-list 101 permit ip 172.19.3.128 0.0.0.127 172.19.5.64 0.0.0.63

access-list 102 remark CCP_ACL Category=17

access-list 102 permit ip any host 12.12.12.12

access-list 102 remark "Inbound Access"

access-list 102 permit udp any host XXXXXXX eq non500-isakmp

access-list 102 permit udp any host XXXXXXX eq isakmp

access-list 102 permit esp any host XXXXXXX

access-list 102 permit ahp any host XXXXXXX

access-list 102 permit udp any host XXXXXXX eq non500-isakmp

access-list 102 permit esp any host XXXXXXX

access-list 102 permit ahp any host XXXXXXX

access-list 102 permit udp any host Public IP eq non500-isakmp

access-list 102 permit udp any host Public IP eq isakmp

access-list 102 permit esp any host Public IP

access-list 102 permit ahp any host Public IP

access-list 102 permit ip 72.55.33.0 0.0.0.255 any

access-list 102 permit ip 107.0.197.0 0.0.0.63 any

access-list 102 deny   ip 172.19.3.128 0.0.0.127 any

access-list 102 permit icmp any any echo-reply

access-list 102 permit icmp any any time-exceeded

access-list 102 permit icmp any any unreachable

access-list 102 remark ftp

access-list 102 permit tcp any any eq ftp

access-list 102 remark FTP Data

access-list 102 permit tcp any any eq ftp-data

access-list 102 permit icmp any any

access-list 102 permit udp any host XXXXXXX eq non500-isakmp

access-list 102 permit udp any host XXXXXXX eq isakmp

access-list 102 permit esp any host XXXXXXX

access-list 102 permit ahp any host XXXXXXX

access-list 102 deny   ip any any log

access-list 110 deny   ip 172.19.3.128 0.0.0.127 172.19.5.0 0.0.0.63

access-list 110 deny   ip 172.19.3.128 0.0.0.127 172.19.5.64 0.0.0.63

access-list 110 remark "Outbound NAT Rule"

access-list 110 remark "Deny VPN Traffic NAT"

access-list 110 deny   ip 172.19.3.128 0.0.0.127 172.19.3.0 0.0.0.127

access-list 110 deny   ip 172.19.3.128 0.0.0.127 172.19.10.0 0.0.0.255

access-list 110 deny   ip 172.19.10.0 0.0.0.255 172.19.3.128 0.0.0.127

access-list 110 deny   ip 172.20.3.128 0.0.0.127 172.19.3.0 0.0.0.127

access-list 110 deny   ip 172.19.3.128 0.0.0.127 172.20.3.128 0.0.0.127

access-list 110 deny   ip 172.19.3.128 0.0.0.127 host 172.19.250.11

access-list 110 deny   ip 172.19.3.128 0.0.0.127 host 172.19.250.10

access-list 110 permit ip 172.19.3.128 0.0.0.127 any

access-list 110 permit ip 172.19.10.0 0.0.0.255 any

access-list 198 remark "Networks for VPN Client"

access-list 198 permit ip 172.19.3.0 0.0.0.127 172.20.3.128 0.0.0.127

access-list 198 permit ip 172.19.3.128 0.0.0.127 172.20.3.128 0.0.0.127

access-list 199 permit tcp any any eq 3389

!

!

!

route-map PAE permit 10

match ip address 110

match interface Serial0/2/0

!

route-map COMCAST permit 10

match ip address 110

match interface FastEthernet0/1

!

route-map VERIZON permit 10

match ip address 110

match interface Serial0/1/0.1

!

!

snmp-server community RO

radius-server host 172.19.3.7 auth-port 1645 acct-port 1646 key 7 060506324F411F090B464058

!

control-plane

!

!

line con 0

line aux 0

line vty 0 4

access-class 23 in

privilege level 15

transport input telnet ssh

line vty 5 15

access-class 23 in

privilege level 15

transport input telnet ssh

!

scheduler allocate 20000 1000

ntp server 128.118.25.3

ntp server 217.150.242.8

end

-2801#exit

Hello Joe,

Okay, you do are inspecting FTP ( that is good)

Now do the following

config te

ip inspect log drop-pkt

Then try to download those files and after you get the error inmediatly do the following
show logging | include x.x.x.x

Where the x.x.x.x is the ip address of the website you are trying to access

This will let us know if the firewall is dropping those connections

Regards,

Julio

well i tried that but the show logging | clude returned nothing. I thought that firewall was already configured to allow ftp connections.

Hello Joe,

That is the point,

The firewall is already configured to allow that so it looks something else is denying the connection as the firewall is not retrieving anything.

Can you remove the access-group and the inspect rules in order to test it?

Regards

The router is live and I dont want mess anything up my cisco skills are are green.

Hello Joe,

Got it but right now based on what you have asked and provided I can tell you does not look like a CBAC issue ( to be sure we should take it out but as you cannot do that  this ends right there )

My other suggestion is from an internal PC can you run wireshark while trying to donwload those files and show us what you see on the capture

Regards

I can do the wireshark and report back

ok i was able to remove all the access-group lists, and try but its still not working this is very strange.

Hello Joe,

Yeah, Looks like something else is blocking this,

Can you get the wireshark capture

Im having trouble with that. I think I my need to adjust my filtering options in wireshark

tcp.port==21

Still not finding anything. Its something withing the router but I just cant figure out what it is. I looked through wireshark and saw no errors.