Search results for query: *

The enable secret command still won't get passed a 'connection refused' message. Although you will need one configured to get into the router ultimately. Are you trying to connect from an IP address in this range: 10.10.10.1 - 10.10.10.6? The commands below restrict telnet access to the IPs...

One more thing I wanted to add: When you do the 'no access-list 101 permit ip 10.31.0.0 0.0.255.255 any' command, it will remove the entire 101 access list. You can get around that by using the command 'ip access-list extended <ACL name or number>'. That will allow you to remove specific line...

I'm assuming you don't go through a proxy for web access: All traffic from 10.31.0.0/16 through tunnel ----------------- access-list 100 permit ip 10.31.0.0 0.0.255.255 any no access-list 101 permit ip 10.31.0.0 0.0.255.255 any access-list 101 deny ip 10.31.0.0 0.0.255.255 any You can also...

Well, you aren't going to have much luck if they all use the same ports. Have you thought about setting up a remote access VPN through the ASA? You would VPN to the ASA from those 2-3 hosts then you could use the private IP addresses to connect through dameware or whatever else. Rich Network...

It should have this too: class-map inspection_default match default-inspection-traffic

I think IE is setup to use passive FTP mode by default, so that's probably why it is working there. The FTP command in the script likely uses active FTP mode and would be blocked by the firewall if inspection is disabled, as rico was alluding to. By default the ASA should be inspecting FTP...

I would say you could rule the ASA out at this point. You can also try simple telnet/FTP tests from inside the network and outside to isolate: From inside host (not going through ASA) ----------------- telnet <private IP address> 21 From outside host (going through ASA) -----------------...

Your config looks fine. Maybe there is an IP block for that address on FileZilla server? See below: http://forum.filezilla-project.org/viewtopic.php?f=6&t=3625

Enter the following and post the results: ASA#show run 'Scrubbed config' means remove any public IP address information. For example, if you have a public IP of 172.1.1.1 on an interface, change it to 172.1.x.x. Also 'star' out any passwords/keys, i.e. change 'key myPubKey' to 'key *****'.

Can you post a scrubbed config from the ASA? That log file usually means that the initial SYN packet was not received by the FTP server.

Hey jlm, You have to explicitly permit the RDP traffic first before it hits your NEQ statements. The example I'm posting below will work. Remember that if you want to allow any additional ports, you will need to place them above NEQ or add them to NEQ: ip access-list extended whiskey permit...

Good to hear. I would also recommend removing the 'ip flow ingress' on the ATM interfaces if you do not use NetFlow. That will eat up process cycles, too. Rich Network Engineer - CCNA

Router#copy running-config startup-config OR Router#write mem Router#show startup-config Rich Network Engineer - CCNA

ip access-list extended whiskey permit tcp host <your external IP address> 172.16.11.0 0.0.0.255 eq 3389 permit tcp host <your internal IP address> 172.16.11.0 0.0.0.255 eq 3389 deny tcp any 172.16.11.0 0.0.0.255 neq smtp www 443 ftp deny udp any 172.16.11.0 0.0.0.255 neq ntp deny icmp any...

Can you post output of the following, keep the debugs running: -Enable console/buffered logging on both ASAs and generate interesting traffic logging enable logging timestamp logging buffer-size 40960 logging buffered debugging -Attempt a ping to each outside interface...

One more thing I wanted to mention: Permit statements, as opposed to deny with neq, are much better for growth down the road. Let's suppose that you want to add a new SQL server and open up port 1521 access between two subnets. With the 'deny neq' lines, you will need to remove the NEQ ACE...

Using the ASA would be a nice option fyi. You could set all your hosts to use that as the default gateway and still define VLANs/subinterfaces on it. Not sure if you have already thought about doing that or if it isn't feasible. Back to your ACLs though. Unless I'm missing something, all you...

ISPKing is on the money. One of my favorite Cisco docs for router performance is located here: http://www.cisco.com/web/partners/downloads/765/tools/quickreference/routerperformance.pdf Rich Network Engineer - CCNA

Hey Abidu, Your packets are likely being 'process switched' instead of switched through fast switching or CEF. You definitely need to enable CEF with the following command: ip cef If that doesn't work or help to alleviate, post output from the following: show proc cpu sorted show cef not...

That's not always possible in a production environment. Plus the 4000 switch might have multiple 48 port blades. Wizo: Is the tx queue on the interfaces saturated? For example, 'show interface' shows 255/255 on txload. Check out running a SPAN session if the traffic is being transmitted across...