The enable secret command still won't get passed a 'connection refused' message. Although you will need one configured to get into the router ultimately.
Are you trying to connect from an IP address in this range:
10.10.10.1 - 10.10.10.6?
The commands below restrict telnet access to the IPs...
One more thing I wanted to add:
When you do the 'no access-list 101 permit ip 10.31.0.0 0.0.255.255 any' command, it will remove the entire 101 access list.
You can get around that by using the command 'ip access-list extended <ACL name or number>'. That will allow you to remove specific line...
I'm assuming you don't go through a proxy for web access:
All traffic from 10.31.0.0/16 through tunnel
-----------------
access-list 100 permit ip 10.31.0.0 0.0.255.255 any
no access-list 101 permit ip 10.31.0.0 0.0.255.255 any
access-list 101 deny ip 10.31.0.0 0.0.255.255 any
You can also...
Well, you aren't going to have much luck if they all use the same ports.
Have you thought about setting up a remote access VPN through the ASA? You would VPN to the ASA from those 2-3 hosts then you could use the private IP addresses to connect through dameware or whatever else.
Rich
Network...
I think IE is setup to use passive FTP mode by default, so that's probably why it is working there.
The FTP command in the script likely uses active FTP mode and would be blocked by the firewall if inspection is disabled, as rico was alluding to.
By default the ASA should be inspecting FTP...
I would say you could rule the ASA out at this point. You can also try simple telnet/FTP tests from inside the network and outside to isolate:
From inside host (not going through ASA)
-----------------
telnet <private IP address> 21
From outside host (going through ASA)
-----------------...
Your config looks fine. Maybe there is an IP block for that address on FileZilla server?
See below:
http://forum.filezilla-project.org/viewtopic.php?f=6&t=3625
Enter the following and post the results:
ASA#show run
'Scrubbed config' means remove any public IP address information. For example, if you have a public IP of 172.1.1.1 on an interface, change it to 172.1.x.x. Also 'star' out any passwords/keys, i.e. change 'key myPubKey' to 'key *****'.
Hey jlm,
You have to explicitly permit the RDP traffic first before it hits your NEQ statements. The example I'm posting below will work. Remember that if you want to allow any additional ports, you will need to place them above NEQ or add them to NEQ:
ip access-list extended whiskey
permit...
Good to hear. I would also recommend removing the 'ip flow ingress' on the ATM interfaces if you do not use NetFlow. That will eat up process cycles, too.
Rich
Network Engineer - CCNA
Can you post output of the following, keep the debugs running:
-Enable console/buffered logging on both ASAs and generate interesting traffic
logging enable
logging timestamp
logging buffer-size 40960
logging buffered debugging
-Attempt a ping to each outside interface...
One more thing I wanted to mention: Permit statements, as opposed to deny with neq, are much better for growth down the road.
Let's suppose that you want to add a new SQL server and open up port 1521 access between two subnets. With the 'deny neq' lines, you will need to remove the NEQ ACE...
Using the ASA would be a nice option fyi. You could set all your hosts to use that as the default gateway and still define VLANs/subinterfaces on it. Not sure if you have already thought about doing that or if it isn't feasible.
Back to your ACLs though. Unless I'm missing something, all you...
ISPKing is on the money. One of my favorite Cisco docs for router performance is located here:
http://www.cisco.com/web/partners/downloads/765/tools/quickreference/routerperformance.pdf
Rich
Network Engineer - CCNA
Hey Abidu,
Your packets are likely being 'process switched' instead of switched through fast switching or CEF. You definitely need to enable CEF with the following command:
ip cef
If that doesn't work or help to alleviate, post output from the following:
show proc cpu sorted
show cef not...
That's not always possible in a production environment. Plus the 4000 switch might have multiple 48 port blades.
Wizo: Is the tx queue on the interfaces saturated? For example, 'show interface' shows 255/255 on txload. Check out running a SPAN session if the traffic is being transmitted across...
This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
By continuing to use this site, you are consenting to our use of cookies.