I am using ftp server over internet, for this I am able to connect with ftp server successfully but unable to transfer data. I am unable to see the file's list on connected ftp server. I am using the router Cisco 1941 with 15.0 (1r) M12.
There is no firewall or any ACL policy applied that could stop the any type of traffic.
I have also configured ip ftp passive command on it. But still passive ftp not working.
I'm in process of purchasing a new Cisco routers for our branches that will be used primary to enable IPSec virtual tunnel interfce with "tunnel mode ipsec ipv4". does the default IOS IP Base supports this feature? or i need to purchase DATA license or SECURITY license?
View 4 Replies View RelatedMcAffee scan of acs 1113 appliance running the 4.2 build 124 patch 12 version reports that a medium vulnerability exists because the system has SSH version 1. Any way to specify only version 2 or turn off SSH?
View 9 Replies View RelatedI have a few remote locations that use a Cisco 5505 to connect to my server through a VPN Tunnel. When they establish a connection through the tunnel they use FTP with the PASV command and successfully send and receive data. No issues. The same remote locations will connect to external FTP sites without a VPN tunnel and attempt to use FTP with PASV and the connection fails after the PASV command is issued.Also, when these sites connect to my FTP server all their internal addresses are configured with a Dynamic HIDE NAT. They don't use this NAT rule when they connect to other FTP sites.
The question is why would an FTP connection through a VPN Tunnel work with PASV, but on a non-tunneled connection the Cisco 5505 blocks the connection.I would think that the connection should drop in both scenarios. What makes the VPN Tunnel connection special to prevent the connection drop? (I just learned about the fixup protocol with the group policy change to resolve the problem. So I can resolve the issue. But I'm interested in knowing why there is a discrepancy.)I did ask our network team and they thought it was somewhat strange too.
How can I allow passive ftp communication in PIX 6.3(5)106.
View 5 Replies View Relatedsetting up ASA to allow passive FTP connection! I can get the FTP client to connect but it does not pull the directories. I have opened 21 and range of 55536-55566. I had some trouble gettting the range opened and saved. Normally with other small business routers (GUI) I make sure those ports are forwarded and ftp works.
Is the ftp inspection killing connection or is it my config?
ASA Version 8.4(2)
!
hostname ciscoasa
enable password vRLm0eRL2O14iLM6 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
[Code].....
what is active/passive port-channel..? and how it will do load balancing when my network traffic is flowing on both the ports.
View 5 Replies View RelatedUsers cannot download some files from a FTP in a software over VPN Explanation users work with a program and inside the program they download claim (the software goes to the FTP and download the file)
But the program returns an error 3018 in FTPGET. If the user goes to the old PPTP VPN it works like a charm so the problem is the Cisco VPN.
I cannot post my complete config but we use the filter vpn value to associate a special access-list to a user.
The user that has this problem has this as an access-list.
access-list 201 extended ip permit 10.250.128.0 255.255.255.0 192.168.202.0 255.255.255.0
I've made some research and i've added this info
policy-map global_policy
class inspection_default
Inspection ftp
Still doesn't work.
I have to add that normally the internal network is 2.0 and not 202.0 but since we have user with 2.0 at home we had to do this.
So when a user sends a request to 202. the cisco fowards it to the Juniper inside the network and it translate it back to 2.0 Also that is the ONLY thing that doesn't work. The client can work all day on that program and it will work #1 exept when she does the claims
I am also been working on this VPN for 2-3 months without any problems.
I have 3750 switch and there are couple of vlans.....i dont want to run the instance on all vlans....so i have decided that i will run passive intreface default command....now my lan link is layer three and i want to run eigrp on that so the command shd be as under?
no passive interface default interface gig1/0/10
no passive interface default interface gig1/0/22
(as i have 2 conections) and want to have two neibours.
I don't really know how this things work, but somehow i know that when you summarized few subnets into 1 in RIPv1 protocol in router, you would need this command, but how this things actually works?
View 5 Replies View RelatedI had a design question, Currently we have a active/passive asa 5520 firewall setup. We have our edge router (3845), on which Gig 0/0 connects to the internet, Gig 0/1 connects to a port on the active firewall. We also have a one port fast ethernet card on the router.How can i use the fast ethernet port on the router to connect to the passive firewall, so that if the active firewall fails, there is internet connectivity through the fast ethernet port on the router.
View 3 Replies View RelatedCurrently we are using a single connection to our ISP and in the coming months will be moving to a two seperate connections (to same ISP). In our current setup we utilize active/passive ASA's (5520, single context) and would like to utilize that going forward as well, the reason being is our DMZ's all hang off of these ASA's and we have fiber connectivity between our datacenters.Our main datacenter and DR Datacenter are basically one big LAN with fiber between them, so we have our DMZ networks at both locations currently with both terminating in our ASA's. That way if the ASA at our current site fails the DMZ's are still accessible via the secondary firewall at our DR facility.
View 1 Replies View RelatedWe have an ACE 4710 that has two web servers in an active/passive scenario. The issue is that if node 1 fails and node 2 takes over connections to node 2 stay active even if node 1 becomes available again. Is there are way to ensure that node one is not placed back into service if it becomes available again.
how active/passive failover shoudl be configured, so I can make sure I have it set up correctly;
i have a problem with a Failover Pair of 5510. The Boxes run with the software version 8.2.5.
If the Active ASA goes down, the Standby ASA switch to Active.
If i switch on the old Active ASA, both ASA are Active. This problem don't solved with the command 'no failover active' on the Standby box. This problem only solved with the command 'no failover' and then 'failover' on the Standby box.
The following diagram is showing what I "Plan" on doing or "Hope" I can do. This is the most complicated deployment I have taken on in my profession, and Honestly it is very exciting, but had some questions.
1. The network between the ASA's and Routers, is that suppose to be a Private network or Public Network? I have to assume Public because I want my ASA's to take care of the NAT.
2. ASA's are runing single context Active/Standby so what way will the ASA push out going traffic?
3. The routers need to know about each other in a BGP configuration, correct? We accomplish this using iBGP so will that traffic need to be allowed through my firewall to allow the routers to share that information, or should these routers be talking to each other outside the firewalls?
Is this design possible? I am sure there are limitations as always, just trying to wrap my head around the flow of traffic and where to start.
Additional Details/Requirements -
BGP routers are 2921's that I have control of. Both routers have 4 port GigEtherswitches in them.
ASA's are Active/Passive and cannot be Active/Active due the limitations of the Active/Active Design (VPN limitations)
Both ISP's must be used for outbound traffic, I would like to be able to load balance, but can send some traffic one way and the rest of the traffic the other way based on Routes.
ISP's are not Symentrical, one is 50mbps and the other is 250mbps.
All NAT should take place at the ASA's
Additional Questions:
The routers that have gig etherswitches, can they run HSRP?
Should I be putting Layer 3 switches between the routers and the ASA's instead?
Where should I run my iBGP communication for the routers?
Is it possible to use this feature on WLC 2504 ? ( Passive client feature). I found just this note :" The passive client feature is supported on Cisco 5500 and Cisco 2100 Series Controllers. "
View 8 Replies View RelatedI've been having a problem with my cisco routers (7600s) where sub-interfaces that we create for ldp tunnels are added automatically to the main ospf process as no passive when created. In order, here is how to reproduce the issue:
- Configure ospf process as "passive-interface default"
- Configure interfaces that have to be active as "no passive-interface blah"
- ospf works as expected.
- Create new sub- interface somewhere with encapsulation on a certain vlan for xconnect.
- New sub-interface gets added as "no passive-interface" in main ospf process.
- When adding a new port-channel interface, behavior is the same.
Is that normal for cisco, should I continue removing sub-interfaces manually every time from the ospf process?
I'm having problems getting FTP to work through two FWSM virtual contexts which are connected via a vrf. All this is configured on a 6500 switch with the FWSM running 3.1(4)
CLIENT-----CONTEXT_1-------VRF------CONTEXT_2--------FTP_SERVER
At the moment we can make the control connection but when we issue commands the connection times out.
Looking at the logs we can see the initial connection made to the server on port 21 from the client, this is also seen on the second firewall context (nearest the FTP server). The data channel is then seen on the first context, made using high src & dst port numbers and initiated from the client, successfully passing the ACL/Inspection, then on the second context we see the connection being denied by the incoming ACL on the second contexts interface connected to the VRF instance.
The rules are identical on the contexts and have been made by copying and paste the rule using CSM, we are using the predefined service group 'FTP-Group' which contains both tcp 20 & 21. FTP inspection is at default on both contexts.
We have tested with Win XP (capable of Active FTP only) & Firefox 3.6.12 which is the connections we are seeing in the logs trying to do Passive FTP.
Is this a problem with teh contexts randomizing sequence numbers or TCP Normalization? Or do we just have a problem with the Inspection engine on one of the contexts (I would have expected to see this on both contexts if it was a bug).
I am purchasing 2 5512x ASAs to be configured as an Active/Passive pair as a VPN device. Do I need to purchase anyconnect licenses for both devices?
View 2 Replies View RelatedI'm on WLC 5508 . It doesn't matter if passive client feature is turned on or turned off , when you try to increase "User Idle Timeout" you can see this message:
In our network, a lot of clients gets deauthenticated. I thought it would be useful to enable "Passive-client" feature, or increase "user idle timeout" , but how these works with each other?
I have the following Setup, Two Cisco ASA 5520 needed to be configured in HA Active/Passive. The Firewalls includes also AIP module. Does the ASA 5520 will internally make the AIP modules also HA Active/Passive? Is there a document regarding the issue? Is there a seperate license for the AIP modules for HA scenario?
View 1 Replies View RelatedCan we use ACS 4.1 version recovery disc on 4.2 verison to recover the forgotten password.
View 1 Replies View Relatedwhich version of prime infrastructure supports wlc5508 version 7.4
View 2 Replies View Relatedprovide me with the important links which can show me how to do the software upgrade for my ASA 5520 ver 7.0(1) to ver 8.4 ? as well as the ASDM
View 10 Replies View Relatedwe operate an active/passive cluster with 2 ASA5510 in Routed Mode. Is it possible to add another node, so that we have one active and two standby nodes in the cluster? Unfortunately, I have found no documentation on this .... The data sheet say only up to 10 nodes can be mentioned as a VPN load balancing cluster.
View 1 Replies View RelatedCurrently l have two ASA 5520's in a active/passive failover scenario. Currently the interfaces for the inside and outside are fixed at 100/FULL.I want to repatch them into GigE ports setup as Auto Negotiate.Is there anyway of keeping the connections through the firewall active in this type of scenrio or will l have downtime disconnecting and repatching? or could l possibly disable failover and reconfigure each ?
View 6 Replies View RelatedMy e3200 is running great Unfortunately it seems that the ftp server does not use/support passive mode transfers, which means that clients behind a "corporate style fw" cannot access the server. The solution would be running the ftp server using passive mode (and opening the necessary ports on the server side), but it seems that it is not supported. Or at least I don't know the passive mode port range.
View 6 Replies View Relatedi am using Cisco ASA 5510 with ASA Version 8.0(4) and memory 256MB. me to Upgrade it to 8.3
View 6 Replies View RelatedI have a customer who is having some issues with 5m passive HP twinax cables, 537965-001, with a Chelsio 10G NIC. Aside from NIC driver issue, if NX-OS recognizes this SFP+, should it be expected to work in a 5020 running 4.2(1)N1(1)? Whether Cisco has certified passive HP twinax cables? I have included output to 'transceiver details' to a Cisco twinax and the HP (WL GORE) cables.
Nexus5020# show interface eth 1/7 transceiver details
Ethernet1/7
sfp is present
name is CISCO-MOLEX
type is SFP-H10GB-CU3M
[code]....
I'm currently working on a plan to migrate our 6500's over to our new 7010's. At the time of the migration I want to tighten up our OSPF design and configure OSPF for "passive-interface default" then allow only those interfaces that should have OSPF neighbors to send the hellos. The issue is that the command is not showing up under the OSPF process. What's even more interesting is that the Nexus 5.x Unicast Routing Configuration Guide shows that the "passive-interface default" command should be an option to enter.
I'm currently running version 5.1(4) (though looking to upgrade to 5.2 during my migration testing). I would rather configure the passive-interface via the routing process versus having to enter it on every interface.
We are looking to upgrade our WiSMs to version 7.0.230.0, but the Cisco compatibility matrix suggests we need to upgrade WCS to the same version (it is currently on 7.0.172.0). My question is can we upgrade the WiSMs and do the WCS at a later date with no issues or do we need to do them at the same time to keep visibility of everything?
The reason I ask is that some of my clients use lobby ambassador for some of their users and they will need wireless access on the day we are due to upgrade WCS (the WiSMs are due to be upgraded and rebooted earlier that morning.
I have a Cisco 1941 which has several Cisco VPN clients connecting to it which all works fine. The details of the LAN and VPN clients are as below:
Cisco 1941 LAN : 172.16.1.0 255.255.255.0
VPN Clients : 192.168.5.0 255.255.255.0
As mentioned this works fine but I'm about to setup a point to point VPN with from the above Cisco to another site which isn't controlled by myself and the remote side of this point to point VPN will only allow connections from the "172.16.1.0" subnet to communicate with it.
The issue I have is that the Cisco VPN clients also need to communicate with the remote side of this point to point VPN but they are obviously coming from the "192.168.5.0" subnet. Is this possible and where to start with this that would be fantastic.
I got 2 DC Cisco MWR 1941 and 3600, I do not know the reason why when I set up IP NAT to 1941 does not work but if I do it in the 3600 if it works.
View 13 Replies View Related