Recent content by NetRx

The enable secret command still won't get passed a 'connection refused' message. Although you will need one configured to get into the router ultimately. Are you trying to connect from an IP address in this range: 10.10.10.1 - 10.10.10.6? The commands below restrict telnet access to the IPs...

One more thing I wanted to add: When you do the 'no access-list 101 permit ip 10.31.0.0 0.0.255.255 any' command, it will remove the entire 101 access list. You can get around that by using the command 'ip access-list extended <ACL name or number>'. That will allow you to remove specific line...

I'm assuming you don't go through a proxy for web access: All traffic from 10.31.0.0/16 through tunnel ----------------- access-list 100 permit ip 10.31.0.0 0.0.255.255 any no access-list 101 permit ip 10.31.0.0 0.0.255.255 any access-list 101 deny ip 10.31.0.0 0.0.255.255 any You can also...

Well, you aren't going to have much luck if they all use the same ports. Have you thought about setting up a remote access VPN through the ASA? You would VPN to the ASA from those 2-3 hosts then you could use the private IP addresses to connect through dameware or whatever else. Rich Network...

It should have this too: class-map inspection_default match default-inspection-traffic

I think IE is setup to use passive FTP mode by default, so that's probably why it is working there. The FTP command in the script likely uses active FTP mode and would be blocked by the firewall if inspection is disabled, as rico was alluding to. By default the ASA should be inspecting FTP...

I would say you could rule the ASA out at this point. You can also try simple telnet/FTP tests from inside the network and outside to isolate: From inside host (not going through ASA) ----------------- telnet <private IP address> 21 From outside host (going through ASA) -----------------...

Your config looks fine. Maybe there is an IP block for that address on FileZilla server? See below: http://forum.filezilla-project.org/viewtopic.php?f=6&t=3625

Enter the following and post the results: ASA#show run 'Scrubbed config' means remove any public IP address information. For example, if you have a public IP of 172.1.1.1 on an interface, change it to 172.1.x.x. Also 'star' out any passwords/keys, i.e. change 'key myPubKey' to 'key *****'.

Can you post a scrubbed config from the ASA? That log file usually means that the initial SYN packet was not received by the FTP server.

Hey jlm, You have to explicitly permit the RDP traffic first before it hits your NEQ statements. The example I'm posting below will work. Remember that if you want to allow any additional ports, you will need to place them above NEQ or add them to NEQ: ip access-list extended whiskey permit...

Good to hear. I would also recommend removing the 'ip flow ingress' on the ATM interfaces if you do not use NetFlow. That will eat up process cycles, too. Rich Network Engineer - CCNA

Router#copy running-config startup-config OR Router#write mem Router#show startup-config Rich Network Engineer - CCNA

ip access-list extended whiskey permit tcp host <your external IP address> 172.16.11.0 0.0.0.255 eq 3389 permit tcp host <your internal IP address> 172.16.11.0 0.0.0.255 eq 3389 deny tcp any 172.16.11.0 0.0.0.255 neq smtp www 443 ftp deny udp any 172.16.11.0 0.0.0.255 neq ntp deny icmp any...

Can you post output of the following, keep the debugs running: -Enable console/buffered logging on both ASAs and generate interesting traffic logging enable logging timestamp logging buffer-size 40960 logging buffered debugging -Attempt a ping to each outside interface...