Cisco Firewall :: 2951 - Cannot FTP To Server From Outside Network
Feb 5, 2012
I have a Cisco 2951 Router on which I configured routes for Zone-Based Firewall. I have a FTP server inside my network and I have allowed hosts from the internet to connect to it through the router. They, are however not able to connect or they are connecting but they cannot transfer files. I checked the logs on the router and the error message is as follows:
%FW-6-DROP_PKT: Dropping tcp session xx.xx.xx.xx:21 xx.xx.xx.xx:21766 on zone-pair ccp-zp-out-in class FTPInbound due to Invalid Seq# with ip ident 0
View 7 Replies
ADVERTISEMENT
Feb 16, 2011
I am confiuring ZFW on a Cisco 2951 Router. The router has the following interfaces: [code]Port Channel 1, 1.5, 1.10, 1.15, 1.20 have been added to the zone called IN-OUT. All the subinterfaces correspond to an internal VLAN.The router is connected to a MPLS network and has a BGP peer on interface MPPP. Over the MPLS network, an ecrypted DMVPN tunnel to HQ has been built (tunnel 0). EIGRP is the routing protocol running over the tunnel.Traffic coming in from HQ has to be firewalled on this router (don't ask me why!!). As a result, I am configuring ZFW on this router.
1-The router itself does not need to be protected, only the servers in the remote offices. That being said, I am not planning to create any self zone on this router. I don't want to break BGP, therefore the MPPP interface will NOT belong to any zone. Is this the correct way to do it?
2-The tunnel 0 interface will belong to OUT-IN zone that will protect all incoming traffic into this site from HQ. So when writing class-maps for the traffic coming INTO this site, do I need to write any class-maps for EIGRP or ESP? My guess is no, since that traffic will not be coming into the site, but rather just terminating on the router.
View 5 Replies
View Related
Sep 17, 2012
I'm configuring a console server for configuring remote devices. This is working well except for the fact that if a target device is in ROMMON mode, the console server refuses to displays the target device console. It does open the connection but the ROMMON prompt is not shown on the console server . This is essential for this device as we will need to use it to reset passwords remotely and thus need to be able to access ROMMON mode from the console server.
Parts used are a 2951 router and a HWIC-8A serial card. Posted my config below:
[code]
Current configuration : 4389 bytes
!
[Code].....
View 1 Replies
View Related
Dec 21, 2011
I have configured my 2951 router to send logs to my Kiwi syslog server like below.
#logging 10.20.20.52
But I am not receiving any logs from my router, the same has configured on my asa5520 and its sending logs.
View 3 Replies
View Related
Nov 6, 2011
I recently installed a 2951 with a security plus license..I hate it (security featuers not router) and would like to put the asa back in place.how to integrate the asa with the 2951, I believe I need to run it in multi context mode.
View 3 Replies
View Related
Dec 29, 2011
Me to a 2951 router with fireawall featureset. Ive begun to move the ACLs that where in the pix. However some of the rules are allowed to be typed in bur when i look at the ACL afterwards they are not what i typed in.
View 2 Replies
View Related
Oct 22, 2012
CNA version is 7.5(6)
router: Cisco 2951
error: unable to connect
are able to connect to other switches, such as 2970 questions:
1. is there any configuration needs to be done to connect to 2951 though CNA?
2. is 2951 supported device in CNA?
View 2 Replies
View Related
Oct 24, 2011
My current setup.
Layout:
Line01 Line02
| |
Cisco 2951 Cisco 2951
---------------------
|
Cisco 3750G - Server #1 & #2 for domain controller, sharepoint, etc
|
---------------------
| |
Cisco 2960 Cisco 2960
| | | | | | | ... | | | | |
workstation #1, #2, .... #70
And I would like to ask some opinion on the best configuration for the above layout:
1. Configuration #1 - Using load sharing and automatic failover So I want to ask whether there's any link/url that provides details/guides on how to setup the load sharing and failover?
2. Configuration #2 - Workstations 1 - 35 will be routed through Line01 gateway and workstations 36 - 70 will be routed through Line02 As for this configuration, it's done now. However, I want to know whether there's any software (preferred web based application which allows me to change the gateway from line #1 to line #2 for all 70 computers instead of having to go to each workstation to update the gateway).
View 1 Replies
View Related
Mar 9, 2013
I have one of my customer have cisco 2951 Router with two ISP and two ADSL module .i already configure one ADSL module.rit now customer want secondISP ( ADSL) module configuration separate netwok because customer have Access pont they want connect directly to router is it possible
1st ISP already running but customer requirement 2nd ISP superate network with Access pont not redundancy
View 5 Replies
View Related
Feb 14, 2011
Today, out of nowhere (no known system changes) I was unable to connect to a network server at my office. I always connect with a VPN first....and that went fine.Then - when I tried to map to a network drive, it wouldn't connect. I get error code 0x80070035.When I disable my AVG firewall, I'm able to connect perfectly.So, I'm guessing I have to create some type of rule for my firewall, but I have NO idea where to get the info with which to do so. I'm running Windows 7 (64B) and have AVG Internet Security 2011.
View 6 Replies
View Related
Aug 23, 2011
I am using ASA 5520 with 8.2.4 IOS. I'm new to ASA/Firewall. I need to do access webserver from outside network.From Laptop (192.168.2.51), If I connect to url... it should open page from 10.10.10.50.I also need to ssh to webserver from laptop. If I ssh to 192.168.2.50 from laptop, it should connect to 10. 10. 10.50. [code]I can't get to webserver from outside network, so now, I connected laptop to directly ASA 5520 outside port with crossover cable.ASA Inside port connects to L3 switch. Webserver also connects to L3 switch. But still doesn't work.
View 9 Replies
View Related
Sep 27, 2012
When I start a VPN-session my server looses internet access. The server is host for a few virtual machines and they have internet access.using 5505 and asa is version 8.4(2). [code]
View 6 Replies
View Related
May 21, 2012
I am using a 6500 with FWSM. I need to separate an internal server/HQ network from 3 or 4 different external connections. The external networks do not necessarily need to be isolated from each other.I have the option of using a 3 layer model: L2 Access layer to SVIs on the Distribution layer and then L3 to the 6500.L2 Access, connecting directly to the 6500s, with the SVIs on the FWSM.Is it better to have the FWSM outside the MSFC or Inside? Am i correct in thinking that "inside" vs "outside" is determined by whether the SVI's are configured on the FWSM or the MSFC? is there any performance impact from having the FWSM doing the routing instead of the MSFC.If the vlans are all configured on the FWSM, what is the 6500 doing, other than providing switch ports?
View 1 Replies
View Related
Feb 20, 2013
I have a asa 5510 vpn client groups configured and connected to the internal network DHCP server stops giving network service dhcp and the network goes down.
View 6 Replies
View Related
Jul 24, 2011
I'am using ASA 5510 and I try to understand how PAT is working.I want to add a Mail Server in the LAN and a webmail using port 3000 on the server. ( webmail must be reachable from the WAN)This is my Configuration :actually LAN users access internet using NAT with one global IP ( 194.x.x.69) which is the ASA WAN interface.
WAN ----- ISP Router ---------- FW ---------- LAN -------- Mail Server + Webmail
| (25) | (3000)
194.x.x.69 192.168.1.254 192.168.1.6
I need to forward port 3000 and port 25 from outside to inside.For example, from the WAN : [URL] must be redirect toward 192.168.1.6:3000 . What is the Correct Configuration ? And what about the Inside/Outside Traffic,Is there any configuration to add ?
View 2 Replies
View Related
Aug 23, 2011
We have Cisco ASA 5505 with ASDM 5.2 We have one Proxy server in our Local Lab and pointed to Hosted service(Simple Signal)issue is, When our proxy server send register to hosted server, ASA change private IP and post with outside IP and src port as 1063 every time.
Here is debug log on real time monitoring.
Aug 24 2011 05:21:19 302015 203.xxx.xxx.226 192.168.1.51 Built outbound UDP connection 3774 for outside:203.xxx.xxx.226/5060 (203.xxx.xxx.226/5060) to inside:192.168.1.51/27014 (99.119.161.107/1142)
Aug 24 2011 05:21:19 607001 203.xxx.xxx.226 Pre- allocate SIP Via UDP secondary channel for inside:192.168.1.51/27014 to outside:203.xxx.xxx.226 from REGISTER message
Aug 24 2011 05:21:19 710005 203.xxx.xxx.226 99.xxx.xxx.107 UDP request discarded from 203.xxx.xxx.226/5060 to outside:99.xxx.xxx.107/1063
Here 99.xxx.xxx.107 is Our ASA Outside IP address 203.xxx.xxx.226 is Hosted server IP address. My ASA config is attached.
View 2 Replies
View Related
May 22, 2013
I have ASA 5520 installed. I want to use ntp server for firewall clock setting. I found one open-access ntp server (stratum 2) in Los Angeles:
[URL] 209.151.225.100
Can I use the following command to set ntp server?
ntp server 209.151.225.100 source outside.
View 3 Replies
View Related
Mar 6, 2012
our customer has a server farm in a data center.At the moment the farm has connectivity with only one ISP but sometimes it has service discontinuity.Customer wants to become AS and having two ISP connectivity for backup purposes.He needs to evaluete two cisco routers to use at AS edge with BGP.At the moment he says that the throughputh with the server farm is max 15Mbps and in the future he thinks that it will not increase.We think about cisco2951 routers with 2GB ram.Is cisco 2951 adeguate for this task ?
View 3 Replies
View Related
Jan 25, 2011
I have the situation with my new Cisco 2951 router. It has only one module on board - SM-D-ES3-48-P. I don't know what is wrong but I can't see any information about this module. When I connect my laptop to any port it's become green, but it's still green even after I disconnect PC from this port. Sh ip int brief command shows only built-in gigabit interfaces. I also connect my second PC to the router by console to monitor any changes when I connect or disconnect laptop to the module's ports. [code]
View 3 Replies
View Related
Mar 22, 2011
I'm setting up IPsec for a DMVPN between a 2811 and 2951s in a test lab. I have enabled IPsec on the hub (2811) but I am unable to do so on either of the 2951s. After researching, it seems that I may have the incorrect IOS for this, but I am at a loss which IOS I should be using. Currently the 2951s are on "c2951-universalk9-mz.SPA.151-2.T2.bin".
View 1 Replies
View Related
Jun 11, 2013
My setup is as below
inside host--> ASA1--Outside interface- layer_ 2_Switch1--outside interface--> ASA2--inside interface-DHCP SERVER.
We want that inside host should get ip from subnet 192.168.10.0 /24. This ip pool is configured in DHCP server (ip 172.16.10.1) which is connected to ASA2. There is no routing issue as we are able to ping DHCP srever 172.16.10.1 from ASA1. to do config needed on ASA1 and ASA2 , so that host connected to ASA1 inside interface can get ip from DHCP srever. We have configured 192.168.10.1 /24 to ASA1 inside interface which will be gateway to inside host of ASA1.
View 6 Replies
View Related
Aug 15, 2012
We have an old 3725 router with a HSSI card connected to a DL3100, which in turn is connected to a subrate DS3 circuit. The plan is to replace the router with a new 2951 router and a NM-T3/E3 card.After the router was replaced, I configured the NM but the circuit remained dow/down. I'm sure it has to do with the fact that the DS3 circuit is channelized but I'm not sure how to configure this module to be channalized. Here is the configuration that I placed on the router: [code]
View 4 Replies
View Related
May 30, 2011
We recently purchased the Cisco Router 2951 router with the IOS 15.0. I have tried to put in my VIC2-4FXO card in it. When I did show invetery, it detected the card.[code] When I tried to configure the voice port by typing voice port, it shows % Invalid input detected at '^' marker. I have tried to reset the cad and replace with another one.
View 3 Replies
View Related
Jan 10, 2010
setting up IPsec for a DMVPN between a 2811 and 2951s in a test lab. I have enabled IPsec on the hub (2811) but I am unable to do so on either of the 2951s. After researching, it seems that I may have the incorrect IOS for this, but I am at a loss which IOS I should be using. Currently the 2951s are on "c2951-universalk9-mz.SPA.151-2.T2.bin" and the only crypto options.
View 9 Replies
View Related
Jan 7, 2013
We have approx. 40 branch offices that connect to our core IOS Firewall (2951) over ipsec VPN Tunnel. One particular site has been facing issues over the past few days. This site will sporadically drop it's VPN Tunnel and reestablish after a few seconds. If I run debug crypto ipsec and crypto isakmp on the site that is dropping, it is constantly going through the DPD process. If I run these same commands on another site, they seem to run DPD at all.
Here is some of the output I am seeing on the site that is failing.
Jan 8 11:18:38.873 AST: %FW-6-DROP_PKT: Dropping tcp session 111.222.3.106:50083 96.16.47.144:80 due to Stray Segment with ip ident 54856 tcpflags 0x5004 seq.no 2154004347 ack 0
Jan 8 11:18:46.061 AST: ISAKMP (4028): received packet from 111.222.255.106 dport 500 sport 500 Global (I) QM_IDLE
Jan 8 11:18:46.061 AST: ISAKMP: set new node -1497488895 to QM_IDLE
Jan 8 11:18:46.061 AST: ISAKMP:(4028): processing HASH payload. message ID = 2797478401
Jan 8 11:18:46.061 AST: ISAKMP:(4028): processing SA payload. message ID = 2797478401
[code]....
View 2 Replies
View Related
Jun 27, 2011
How to get a WLC on a SRE up and running. I have a WLC installed and running on a 2951 SRE connected to a L3 switch in a lab.
I've tried to follow the Cisco document:
[URL]...
My wireless clients could only receive a DHCP allocated IP address for the 55.XX subnets defined on the wireless lan controller and SRE (shown on page 12 of the pdf). All traffic seemed to be routed via the native vlan of the inside router trunk interface and all DHCP requests arriving at my DHCP server were from 55.XX. Because of this I didn't see the point of trunking
so I've changed it to a point to point routed connection, created a 55.XX DHCP scope on my DHCP server for the wireless clients and all routing works fine.I found the document rather misleading.
View 1 Replies
View Related
Dec 27, 2011
configuring my Cisco 2951 router. There are three routed interfaces that I need to configure: one for the internal LAN, the second for another private subnet that connects to a Data Centre and the third for the WAN connection. I have configured the Ge0/0 interface as the LAN interface with the internal network 10.17.0.0/24. I have also configured my WAN interface Ge0/1 for internet connectivity. Now, I need to configure the third interface Ge0/2 that will connect to the Data Centre. This will be a private point to point switched ethernet link. The Data Centre will host a secondary domain controlller. So, I want it to be on the same network as the internal LAN, i.e., 10.17.0.0/24. I want to be able to see all other devices that will be located at the Data Centre just like I would see all devices connected to the internal LAN.The problem I am facing is that Cisco 2951 does not allow me to configure two routed interfaces to be on the same subnet. Is there any way to work around this problem and configure both the internal LAN and the Data Centre private network to be on the same subnet.
View 6 Replies
View Related
Oct 17, 2012
I currently have a 50Mbps Internet Connection provided by an ethernet handoff for hosting some webservers. We are looking at adding an additional 10Mbps Internetn connection and route BGP between the two. For the 50Mbps connection, i'm using a Cisco 2951 router. I also have another 2951 router to terminate the 10Mbps connection. Does these router have enough horsepower to fully route BGP?
View 1 Replies
View Related
Jul 19, 2012
I'm just double checking here because I saw one doc that didn't mention the 2900 on the data sheet but, I ve seen the 2900 listed with on others. I don't see the 2900s listed in this with the interface.
[URL]
View 6 Replies
View Related
Apr 11, 2011
We have just installed our first 2951 router, and were suprised to see in our Netflow collector that Tunnel interfaces appeared even though we did not configure any, I have seen other posts talking about PIM tunnel when using Multicast, but we dont use multicast and the tunnel is GRE questions are, where do these interfaces come from? how do they pick up an IP address? can we shut them down? IOS is 150-1.M4 loopback interface ip address is 172.16.224.238 ( tunnel source) see output from sh int below
Tunnel0 is up, line protocol is up Hardware is Tunnel Interface is unnumbered. Using address of Tunnel1 (172.16.0.1) MTU 17912 bytes, BW 100 Kbit/sec, DLY 50000 usec, reliability 255/255, txload 99/255, rxload 1/255 Encapsulation TUNNEL, loopback not
[Code]......
View 6 Replies
View Related
Feb 9, 2012
configuring my Cisco 2951 router with Z0ne-based firewall. This is the scenario I would like to configure.
I have two ftp servers,S1 and S2, behind the router which needs to be accessed by two groups of users, G1 and G2, from the outside, i.e., from the internet.
I have two public IP addresses, 152.12.164.203 and 152.12.164.204. The WAN interface of the router is configured with IP address 152.12.164.203. G1 needs to access S1 on 152.12.164.203 and G2 needs to access S2 on 152.12.164.204.
What are the steps in configuring the router if I need the above scenario to be implemented?
View 5 Replies
View Related
Apr 11, 2012
We have 50 Mb Comcast cable conencted to 2951. There is another conenction to AT&T 20 Mb circuit which goes thru' an ASA 5510. Path to Internet is as below. [code]
As long as Comcast is up, 2951 sends Internet traffic out to Comcast and uses AT&T via ASA for backup.When traffic goes over Comcast, users complain about slow speed out to Internet. If we force traffic to AT&T via ASA, speed issue goes away.
We don't see any issue on 2951 router in terms of CPU or memory util.WHat can cause slow speed despite the fact that router resources are not maxed out and Comcast circuit has 150% more capacity than AT&T?
View 8 Replies
View Related
Dec 14, 2011
I have a new Cisco 2951 router and I am trying to configure it for external users to connect to an internal ftp server. I created a firewall and added rules so as to allow ftp connections from the outside to the internal ftp server. I configured NAT so as to allow incoming connections through the router. I have been unsuccessful so far in trying to make this ftp connection work.I am using a zone-based firewall and for the particular ftp rule, the action is inspect so as to allow stateful inspection of packets.
View 3 Replies
View Related
