Configure ASA 5515 to allow FTP server behind it.
We have one Cisco ASA5515 firewall, I configured ftp mode to passive, inspect ftp in service, use anoother public to do NAT with ftp server, and also configued ACL in outside interface, but I failed to access the ftp server from internet use that public ip address, no problem to acces the ftp server use its inside address in LAN.
Anyone can help on this is appreciated!
Thanks!
I did packet tracer in asdm, all is green.
here is configuration file:
ciscoasa# sh run
: Saved
ASA Version 9.1(1)
hostname ciscoasa
enable password qZTcCWWJxxdsdsxcxcxxr encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd qZTcxxcxcxcxxdcxJglvMyNxr encrypted
names
ip local pool VPNAddressPool 10.115.135.100-10.115.135.254 mask 255.255.255.0
interface GigabitEthernet0/0
description Outside Internet
nameif Outside
security-level 0
ip address xxx.xx.xxx.xxx 255.255.255.248
interface GigabitEthernet0/1
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/2
description MPLS Circuit
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/4
description Inside LAN
nameif LAN
security-level 100
ip address 172.28.144.11 255.255.255.0
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
interface Management0/0
management-only
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
boot system disk0:/asa911-smp-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup Outside
dns server-group DefaultDNS
name-server xxx.xxx.xx.xxx
name-server xxx.xxx.xx.xxx
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network VPNNetwork
subnet 10.115.135.0 255.255.255.0
object network 172.28.144.11
host 172.28.144.11
object network NETWORK_OBJ_10.115.135.0_24
subnet 10.115.135.0 255.255.255.0
object network NETWORK_OBJ_172.28.144.0_24
subnet 172.28.144.0 255.255.255.0
object network NETWORK_OBJ_10.100.1.0_30
subnet 10.100.1.0 255.255.255.252
object network NETWORK_OBJ_172.28.76.0_24
subnet 172.28.76.0 255.255.255.0
object network FTP_Outside
host xxx.xx.xxx.xxx
object network FTP_Inside
host 172.28.144.6
object network NAT_FTP
host xxx.xx.xxx.xxx
description FTP
object network FTP-Data
host xxx.xx.xxx.xxx
description FTP-Data
access-list NMA_VPNSplitTunnelAcl extended permit ip object VPNNetwork 172.28.144.0 255.255.255.0
access-list NMA_VPNSplitTunnelAcl extended permit ip 172.28.144.0 255.255.255.0 object VPNNetwork
access-list Outside_access_in extended permit tcp any any eq ssh
access-list Outside_access_in extended permit ip any object NETWORK_OBJ_172.28.144.0_24
access-list NMA_splitTunnelAcl standard permit 172.28.144.0 255.255.255.0
access-list LAN_access_in extended permit ip any any
access-list acl_out extended permit tcp any host xxx.xx.xxx.xxx eq ftp
access-list acl_out extended permit tcp any host xxx.xx.xxx.xxx eq ftp-data
pager lines 24
logging enable
logging asdm informational
mtu management 1500
mtu LAN 1500
mtu MPLS 1500
mtu Outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-712.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (Outside,LAN) source static VPNNetwork VPNNetwork destination static NETWORK_OBJ_172.28.144.0_24
NETWORK_OBJ_172.28.144.0_24 no-proxy-arp route-lookup
nat (LAN,Outside) source dynamic any interface
object network NAT_FTP
nat (Outside,LAN) static FTP_Inside service tcp ftp ftp
object network FTP-Data
nat (Outside,LAN) static FTP_Inside service tcp ftp-data ftp-data
access-group LAN_access_in in interface LAN
access-group acl_out in interface Outside
route Outside 0.0.0.0 0.0.0.0 xxx.xx.xxx.xxx 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 172.28.144.0 255.255.255.0 LAN
http 172.28.144.6 255.255.255.255 LAN
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-DES-MD5
crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Outside_map interface Outside
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ca trustpool policy
crypto ca certificate chain _SmartCallHome_ServerCA
crypto ikev1 enable Outside
crypto ikev1 policy 1
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet 0.0.0.0 0.0.0.0 LAN
telnet 172.28.144.0 255.255.255.0 LAN
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption 3des-sha1 des-sha1
group-policy NMA internal
group-policy NMA attributes
dns-server value 172.28.144.2 172.28.76.8
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value NMA_VPNSplitTunnelAcl
default-domain value test1.test2.com
vpn-group-policy NMA
service-type remote-access
tunnel-group NMA type remote-access
tunnel-group NMA general-attributes
address-pool VPNAddressPool
authorization-server-group LOCAL
default-group-policy NMA
tunnel-group NMA ipsec-attributes
ikev1 pre-shared-key xxxxcxxxx
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
policy-map global_poliy
class inspection_default
inspect icmp
service-policy global_policy global
prompt hostname context
call-home reporting anonymous
Cryptochecksum:e603c4e7da420d445507ceb5bac213f9
: end
Similar Messages
-
How to configure sync with my local ftp server?
I have used XMarks since now because it hallow me to synchronize my bookmarks with my local server. Now XMarks don't work anymore because it's not more possible to synchronize the passwords.
Any other alternative imposes to use an external server and I don't want to use an external server. My data must remain on my machine it's absolutely excluded that i use an external unknown server for this.
The only solution must be a free solution (a real free solution) and the firefox synchronization seems to me the best/only one.
But I've not found how to configure it to use my own server.
So how to do it, where are the options to the synchronizer to give my own ftp server or whatever other server it needs?iAS 6.0 sp4 officially does only support iPlanet Directory Server 5.0 sp1 and 4.13.
For more details visit: http://docs.iplanet.com/docs/manuals/ias/60/sp4/ig/prep.htm#42084
I guess, you can specify the directory server during the time of installation.
Thanks,
Rakesh. -
How configure sending CDR reporting via ftp server
hi
i want to send the CDR reporting automaticly to FTP billing server each 1H.
i have add the billing server
i don t know how or when can i configure the automatique sending CDR report to this server
Thanks for your helpYou'll need a SFTP server instead of FTP.
For instructions, please see here:
http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/service/7_1_2/admin/sacdrm.html
Thanks!
Michael
http://htluo.blogspot.com -
Have issue with internal 2003 FTP server behind BM;
Secondary IP set on Public NIC and NAT it to the private IP of the 2003 server.
Filters setup as per the TID2931861.
FTP works internally for both IE and FTP client.
None works from outside. Any idea?
Will try taking down filter tomorrow morning and test if it works.(Production server)lchen ca1 wrote:
> mysterious;1487294 Wrote:
>> mysterious wrote:
>>> lchen ca1 wrote:
>>>> Took filter down and still didn't work.
>>>> Checked NAT, NAT is setup correctly.
>>>> Do I need ICMP filter setup in order to have FTP working?
>>> it will not work in pasv mode behind nat. It has to work in port
>> mode
>>> tid10064656
>>>
>>>
>>> Gonzalo
>> forgot to add, instead nat use the ftp accelerator and you'll be fine
>
>
> So you mean I have to take away the NAT settings and setup reverse FTP,
> then pasv FTP will work?
>
> Questions:
> 1. Pasv will not work in NAT configuration?
No, it will not work. Server embeds the new ip address to establish the
pasv connection on the data portion of the packet and it is not
translated by nat, so client will try to connect to an internal ip.
Port mode will work thru nat as it is the server who initialize the
connections
> 2. Port mode means active FTP port 21 and 20 right?
The mind different between pasv and port are:
1. Who initialize the second connection
2. The ports used on the communication
In pasv mode, the client initialize the connection with the data sent by
server while on port (active) mode, it is the server who do that.
Take a look at this coolsolution to understand better the differences:
Cool Solutions: Active versus Passive FTP
if you need pasv connections, the easy thing is the ftp accelerator. you
only a secondary ip and two click of the mouse in nwadmn32 or imanager.
Gonzalo -
Settings and usage of external FTP Server in ECC 6.0
Dear all,
I work in ECC 6.0, and I want to configure and use an external FTP Server for upload, download and delete file from FTP Server.
My questions are:
1) Which are steps for configure an FTP connection?
2) How can I read, delete and send a flat file to the FTP Server? Can you send a sample code?
Thanks in advance for your help.
Best Regards,
GiulioPlease check program RSFTP002 is a good example given by SAP .
a® -
Does anyone has configured the iMac as a ftp server with Mac OS X 10.5.5?
I guess those programs are intented for outgoing connections, not incoming connections?
Well, anyways, I managed to solve the problem. Just summing up in case others meet the same problem:
- Went to Apple Store and bought/installed "OS X Server".
- Followed the install wizard for the OS X Server.
- Under "FTP" in OS X Server, turned "On".
- Under sys prefs/sharing; make sure "Sharing" is activated (which already had been done in my case).
- Add folder, e.g. "Movies", and enable "read/write" for "everybody" (already done in my case).
- Back to the OS X Server; changed share to "Movies".
(you can change share options in OS X Server as well, the same way as under sys prefs.).
- Now over to the Canon camcorder;
- Use the IP address for the Mac as the FTP server. Port 21.
- Set up username/password as for the Mac admin account (not sure if required though).
- Target folder just set to "/" (files transferred directly to "Movies").
With this setup, both AVCHD/MP4 movies were transferred easily to my mac. -
Port Mapping Filezilla FTP Server
I just got a new AirPort Extreme Base Station (802.11n). I must say, I'm pleased for the most part. I'm having an issue with remotely connecting to my FTP server inside the network though.
Setup:
The whole this is connected as follows:
Cable Modem - AEBS - Wired Windows PC
On this windows PC I run an FTP & HTTP server. Both are functioning properly as they always have, both on the localhost and within the network.
The HTTP protocol is working fine. I have port 80 mapped to my PC's static IP of 10.0.1.100. I can browse my hosted site from a remote PC no problem.
Yet, from a remote PC I am unable to fully establish FTP communication. I have port 21 mapped to my PC's static IP as well. Communication seems to be happening; the remote PC gets prompted for their username and password. Shortly after (within a timeout time), the FTP server replies that it cannout open the data channel.
Data:
Here is the Remote PC's log of the FTP session:
Status: Connecting to $server.com ...
Status: Connected with $server.com. Waiting for welcome message...
Response: 220 $greeting
Command: USER $username
Response: 331 Password required for dave
Command: PASS $pass**
Response: 230 Logged on
Command: SYST
Response: 215 UNIX emulated by FileZilla
Command: FEAT
Response: 211-Features:
Response: MDTM
Response: REST STREAM
Response: SIZE
Response: MLST type;size*;modify;
Response: MLSD
Response: UTF8
Response: CLNT
Response: 211 End
Status: Connected
Status: Retrieving directory listing...
Command: PWD
Response: 257 "/" is current directory.
Command: TYPE A
Response: 200 Type set to A
Command: PASV
Response: 227 Entering Passive Mode (10,0,1,100,16,141)
Command: LIST
Response: 425 Can't open data connection.
Error: Could not retrieve directory listing
Solutions Attempts:
I have tried mapping the FTP data port (20) to the server's static IP to no avail. I even went as far as setting the server as the default host (DMZ); this didn't work either.
Am I looking at a fresh firmware bug here or am I missing anything? Thanks for your help.
P.S. No changes have been made on the server and every other no name router I've used has successfully port mapped the server; it's definitely the new hardware.
Windows PC Windows XP Pro
Windows PC Windows XP Pro1. Try to connect to your FTP-Server in AKTIVE-Mode,
it's a setting in your FTP-Client
Most all FTP clients are defaulted to passive mode, and I want to connect without asking all users to change their settings.
Previous routers did not require anything like this, why would this new base station obfuscate the setup?
2. Don't use the same AirportXtrem internet
connection (for testing your FTP-Service) where is
your FTP-Server behind. I don't know why, when I try
to establish a connection I could not go out and come
back through my AXtrem on the same way.
Try it with a Modem, UMTS or with another internet
connection.
I don't know exactly what you're talking about. Please explain better or with more details.
Windows PC Windows XP Pro -
I need helping configuring RDP access to my local server from a remote location on my Cisco ASA 5505 Firewall.
I have attempted to configure rdp access but it does not seem to be working for me Could I please ask someone to help me modify my current configuration to allow this? Please do step by step as I could use all the help I could get.
I need to allow the following IP addresses to have RDP access to my server:
66.237.238.193-66.237.238.222
69.195.249.177-69.195.249.190
69.65.80.240-69.65.80.249
My external WAN server info is - 99.89.69.333
The internal IP address of my server is - 192.168.6.2
The other server shows up as 99.89.69.334 but is working fine.
I already added one server for Static route and RDP but when I try to put in same commands it doesnt allow me to for this new one. Please take a look at my configuration file and give me the commands i need in order to put this through. Also please tell me if there are any bad/conflicting entries.
THE FOLLOWING IS MY CONFIGURATION FILE
Also I have modified IP information so that its not the ACTUAL ip info for my server/network etc... lol for security reasons of course
Also the bolded lines are the modifications I made but that arent working.
ASA Version 7.2(4)
hostname ciscoasa
domain-name default.domain.invalid
enable password DowJbZ7jrm5Nkm5B encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Vlan1
nameif inside
security-level 100
ip address 192.168.6.254 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 99.89.69.233 255.255.255.248
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
object-group network EMRMC
network-object 10.1.2.0 255.255.255.0
network-object 192.168.10.0 255.255.255.0
network-object 192.168.11.0 255.255.255.0
network-object 172.16.0.0 255.255.0.0
network-object 192.168.9.0 255.255.255.0
object-group service RDP tcp
description RDP
port-object eq 3389
object-group service GMED tcp
description GMED
port-object eq 3390
object-group service MarsAccess tcp
description MarsAccess
port-object range pcanywhere-data 5632
object-group service MarsFTP tcp
description MarsFTP
port-object range ftp-data ftp
object-group service MarsSupportAppls tcp
description MarsSupportAppls
port-object eq 1972
object-group service MarsUpdatePort tcp
description MarsUpdatePort
port-object eq 7835
object-group service NM1503 tcp
description NM1503
port-object eq 1503
object-group service NM1720 tcp
description NM1720
port-object eq h323
object-group service NM1731 tcp
description NM1731
port-object eq 1731
object-group service NM389 tcp
description NM389
port-object eq ldap
object-group service NM522 tcp
description NM522
port-object eq 522
object-group service SSL tcp
description SSL
port-object eq https
object-group service rdp tcp
port-object eq 3389
access-list outside_1_cryptomap extended permit ip 192.168.6.0 255.255.255.0 object-group EMRMC
access-list inside_nat0_outbound extended permit ip 192.168.6.0 255.255.255.0 192.168.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip 192.168.6.0 255.255.255.0 object-group EMRMC
access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 host 99.89.69.334 eq pcanywhere-data
access-list outside_access_in extended permit udp 69.16.158.128 255.255.255.128 host 99.89.69.334 eq pcanywhere-status
access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 host 99.89.69.334 object-group RDP
access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 eq ftp
access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 eq ldap
access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 eq h323
access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 eq telnet
access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 eq www
access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 host 99.89.69.334 object-group SSL
access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 object-group NM522
access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 object-group NM1731
access-list outside_access_in extended permit tcp 173.197.144.48 255.255.255.248 host 99.89.69.334 object-group RDP
access-list outside_access_in extended permit tcp any interface outside eq 3389
access-list outside_access_in extended permit tcp host 66.237.238.194 host 99.89.69.333
access-list outside_access_in extended permit tcp host 66.237.238.194 host 99.89.69.333 object-group rdp
access-list outside_access_in extended permit tcp any host 99.89.69.333 object-group rdp
access-list out_in extended permit tcp any host 192.168.6.2 eq 3389
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp 99.89.69.334 3389 192.168.6.1 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 3389 192.168.6.2 3389 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 99.89.69.338 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.6.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 68.156.148.5
crypto map outside_map 1 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 1
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
tunnel-group 68.156.148.5 type ipsec-l2l
tunnel-group 68.156.148.5 ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global
prompt hostname context
Cryptochecksum:f47dfb2cf91833f0366ff572eafefb1d
: end
ciscoasa(config-network)#Unclear what did not work. In your original post you include said some commands were added but don't work:
static (inside,outside) tcp interface 3389 192.168.6.2 3389 netmask 255.255.255.255
and later you state you add another command that gets an error:
static (inside,outside) tcp 99.89.69.333 3389 192.168.6.2 3389 netmask 255.255.255.255
You also stated that 99.89.69.333 (actually 99.89.69.233, guessing from the rest of your config and other posts) is your WAN IP address.
The first static statement matches Cisco's documentation, which states that a static statement must use the 'interface' directive when you are trying to do static PAT utilizing the IP address of the interface. Since 99.89.69.333 is the assigned IP address of your WAN interface, that may explain why the second statement fails.
Any reason why you are using static PAT (including the port number 3389) instead of just skipping that directive? Static PAT usually makes sense when you need to change the TCP port number. In your example, you are not changing the TCP port 3389. -
Help (pleeeease) with configuring FTP server connection
HI...I am so frustrated. You have to understand that I am not completely stupid, but I just cannot understand the process which will allow me to connect to a **^&-**** FTP server!!!
Here's the deal:
Me, graphic designer, designing among other things, websites.
Dreamweaver, the software program that I use to design websites.
So, I design a site, and configure it to upload via FTP. I get the FTP hostname, username, password info from the intended Internet Service Provider, and load that info into the required fields in the Site Manager window. Everything is great until I try to connect to the server....it just won't do it! I get error messages that state flatly that I cannot connect to the remote server, for reasons that are as bland as "username and password information incorrect". I have called the ISP to determine if I am using the correct username, password blah blah blah, and everything checks out on their end. It seems that everyone else but me can connect to a bloody FTP server! Harrumph.
So...what can I do? Is it that something in the System Preferences panel needs to be adjusted to allow me access to FTP? I have fiddled around a little in there, but don't change anything, because I don't know what TCP/IP, proxy settings, etc. MEANS!!! All I did was allow FTP access (duh).
Another point of interest is permissions...somewhere along the way, during my long and convoluted journey with this problem, a message came up that mentioned that. Permissions. Don't know what that means either.
Is there anyone out there that can help me?? I am so confused, and just need a little education. I would greatly appreciate any advice or information. Thanks! Janelle
iMacG4 Mac OS X (10.4.7)Hi Janelle: I assume the domain is georgeponzini.com
1. http://georgeponzini.com/index.htm works so we know you have an index.htm page uploaded to the server but it contains no information at all, like you uploaded a completely blank page, no title, no code, nothing, nada...
2. http://georgeponzini.com/index.html does not exist, you never uploaded a page so what we see is an error page, saying such a file does not exist.
3. The link you have ftp-dom.earthlink.net/ is for uploading directly from a browser but I could not get it to work in Safari but does work in Firefox, which you can consider downloading and using.
4. If you can upload from your Control Center at Earthlink.net, that's a no brainer, this is the option to take, you cannot make any errors doing it this way. But that we'll figure out next... It's ok you do not see a public_html folder you are probably already in it when you log in. Where you given instructions to upload into the WEBDOCS/ folder, if so you did that right.
BTW - have you checked with Earthlink that Control Center will work on a Mac using Safari asa browser
5. Your index.htm page/file is NOT where you upload to, the index.htm IS the 'Home Page' or 'Index Page'. You're seeing a white page because it contains no information, but you must have uploaded a file/page named index.htm (see 1 above)
6. If you have files/pages uploaded in the correct area, see if you can rename any file index.html - I am sure you can do this at the Control Center, if not do this on your computer and use 'save as' > index.html - upload this file/page and see if it displays
Let me know what happens, Rick
iMac G5 iSight 20" - 30G iPOD - HP Pav 15" WS and Toshiba Sat 17" WS Mac OS X (10.4.7) Canon 20D & A620 -
Configuring Solaris 8 FTP Server
I am new to solaris 8. Can anyone help me on where to go or what file to edit to configure my ftp server. The main goals that I want to accomplish are to change the default ftp directory and to specify a login password. I would also like to know how to enable ftp upload.
- Thank youHi,
If you must log into the ftp server as root for some reason you have to first edit the ftpusers file. This file lists all the users who can not use ftp. The file is found here /etc/ftpusers. If you remove the entry root from this file it will allow root to log into the ftp server.
Hope This Helps.
Regards,
Andrew
Sun Developer Technical Support -
When i tried to login in inbrowserediting.adobe.com i see that:
The FTP server configured for this site doesn't seem to match the URL you entered. Make sure that you use the Upload to FTP Host feature in Muse to publish the site directly to the final location and that you are logging on to In-Browser Editing with the same user.
What does it mean? What is problem?Hi,
I have just created my First website using Muse and Its all been uploaded to my FTP server but i cant access the in browser editing which was the whole reason why i re-done the website for my client using muse
its saying the following
"The FTP server configured for this site doesn't seem to match the URL you entered. Make sure that you use the Upload to FTP Host feature in Muse to publish the site directly to the final location and that you are logging on to In-Browser Editing with the same user. server configured for this site doesn't seem to match the URL you entered. Make sure that you use the Upload to FTP Host feature in Muse to publish the site directly to the final location and that you are logging on to In-Browser Editing with the same user."
Yet i Can access my website fine "www.calmwood.com.au"
My ftp server responds to either the IP Address or the DNS Address www.calmwood.com.au
so i am not understanding how it thinks its different. when its fully referenced
any help would be appreciated.
thanks -
Which comm. channel is configured with a certain ftp server?
Hi,
i wold like to have a list of all comm.channels which are using a certain ftp server. How can i get this listi dont think we have any shortes way to find..by checking manually then only we can differentiate else if your company follwoing proper naming standards then they will create individual bussiness component for every FTP.
Regards,
Raj -
How to connect to the internet with ASA 5515 X?
Hi all:
I just got my new ASA 5515 X firewall and I got stuck in the first steps.
I can ping a public IP (8.8.8.8) from the device but I cannot ping it from my LAN.
I know I am missing either NAT rules or Access rules or maybe both, but I need some help, please.
Thank you.ciscoasa# sho run
: Saved
ASA Version 9.1(2)
hostname ciscoasa
enable password djMW8L3Na14L7q2L encrypted
names
interface GigabitEthernet0/0
nameif OUTSIDE
security-level 0
ip address 10.9.251.2 255.255.255.0
interface GigabitEthernet0/1
nameif INSIDE
security-level 100
ip address 10.9.250.2 255.255.255.0
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/3
<--- More --->
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
interface Management0/0
management-only
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
ftp mode passive
<--- More --->
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network inside_net
subnet 10.9.250.0 255.255.255.0
pager lines 24
logging asdm informational
mtu OUTSIDE 1500
mtu INSIDE 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any INSIDE
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
object network inside_net
nat (INSIDE,OUTSIDE) dynamic interface
route OUTSIDE 0.0.0.0 0.0.0.0 10.9.251.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
<--- More --->
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
class-map inspection_default
<--- More --->
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
<--- More --->
inspect icmp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e
: end
ciscoasa# sho runpacket-tracer input inside icmp 10.9.250.3 0 0 8.8.8.8 detailed
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 OUTSIDE
Phase: 2
Type: NAT
Subtype:
Result: ALLOW
Config:
object network inside_net
nat (INSIDE,OUTSIDE) dynamic interface
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff293db020, priority=6, domain=nat, deny=false
hits=22235, user_data=0x7fff2a6a3810, cs_id=0x0, flags=0x0, protocol=0
src ip/id=10.9.250.0, mask=255.255.255.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=INSIDE, output_ifc=OUTSIDE
Phase: 3
<--- More --->
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff29b804b0, priority=0, domain=nat-per-session, deny=true
hits=26730, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff2a633a90, priority=0, domain=inspect-ip-options, deny=true
hits=25709, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=INSIDE, output_ifc=any
<--- More --->
Result:
input-interface: INSIDE
input-status: up
input-line-status: up
output-interface: OUTSIDE
output-status: up
output-line-status: up
Action: drop
Drop-reason: (nat-xlate-failed) NAT failed
ciscoasa# -
FTP Server: PASV / Illegal PORT Command Issues
Hi,
I'm hoping someone can shed some light on this.
We have an iMac running 10.6.6 server with the FTP service running. Everything has worked fine for the last 6 months, including an office move (new IPs, etc) but suddenly in this last week, a lot of users (internal and external) are getting an "Illegal PORT Command" error when connecting.
The iMac is behind an Airport firewall with ports 20 and 21 forwarded to the server.
From what I've read the issue is a NAT related but I can figure out how to fix. The weird thing is that none of us here can think of any changes we've made on the server or Airport in the last week.
I've tried a mismatch of rules in the ftpaccess config file in /Library/FTPServer/Configuration/:
passive address external_ip 0.0.0.0/0
pasv-allow all 10.0.1.1/24
passive ports 10.0.1.1/24 54350 65535
with no success.
Debug from transmit when connecting:
Transmit 4.1.5 (x86_64) Session Transcript [Version 10.6.6 (Build 10J567)] (11-02-24 2:10 PM)
LibNcFTP 3.2.3 (July 23, 2009) compiled for UNIX
220: server.private FTP server ready.
Connected to domain_name
Cmd: USER username
331: Password required for username.
Cmd: PASS xxxxxxxx
230: User username logged in.
Cmd: TYPE A
200: Type set to A.
Logged in to domain_name as username.
Cmd: SYST
215: UNIX Type: L8 Version: BSD-199506
Cmd: FEAT
211: Supported features:
REST STREAM
ADAT
AUTH
CCC
CONF
ENC
MIC
PBSZ
PROT
MDTM
UTF8
SIZE
End
Cmd: OPTS UTF8 ON
200: UTF-8 encoding enabled
Cmd: PWD
257: "/" is current directory.
Cmd: PASV
425: Can't open passive connection: Can't assign requested address.
Passive mode refused.
Connection falling back to port (PORT) mode.
Cmd: PORT 10,0,1,6,250,79
500: Illegal PORT Command
Cmd: PORT 10,0,1,6,250,80
500: Illegal PORT Command
Cmd: PORT 10,0,1,6,250,81
500: Illegal PORT Command
Cmd: PORT 10,0,1,6,250,82
500: Illegal PORT Command
Disconnecting from server…
Cmd: QUIT
221: You have transferred 0 bytes in 0 files.
Total traffic for this session was 187 bytes in 0 transfers.
Thank you for using the FTP service on server.private.
Goodbye.
Anyone know what I can try?
Thanks.
Message was edited by: s-chillyIn terms of the Airport Extreme, is the Mac Mini Server currently set to the default host? If the Mac Mini Server is not currently set to the default host, this needs to be configured as such.
To set up the Mac Mini Server as the default host on the Airport Extreme:
1 Open AirPort Utility, select your wireless device, and then choose Manual Setup from the Base Station menu, or double-click the device icon to open its configuration in a separate window. Enter the password if necessary.
2 Click the Internet button, and then click NAT.
3 Select the “Enable Default Host at” checkbox if not already checked.
4 Enter the same IP address of the Mac Mini Server.
This works -
How can i do scheduled automatic backups to an ftp server in ios xr?
Hello guys! As the title says im looking forward to automatically back up my running config on a cisco CRS-1 to an FTP server. I was only able to find this config example:
Configuration commit auto-save filename ftp://A.B.C.D/myconfig.txt
This allows me to save my config to an ftp server everytime i use commit on the device. Now i want to know if there's a way to automatically save my configs everyday at 00:00 and also include the date and time in the name of the file so i don't overwrite the existing files in the ftp server.
I dont want to use any tool i just wanna know if what im asking is possible via CLI commands. I would greatly appreciate your help with this subject.
Regards,
DavidNot sure if this script will work on a CRS, but try this:
archive
log config
logging enable
hidekeys
path tftp:///$h-
write-memory
time-period 10080
Explaination:
There are two ways to save your config to your remote station:
1. When someone saves the config; and
2. At an alloted time period, expressed in 10080 (weekly for me).
Maybe you are looking for
-
I use Network Solution's Website Tool Builder to manage several websites. Since upgrading Firefox to 5.0.1, some of the pages no longer load and therefore I can't edit them. The sites come up okay in the browser, but not in NetSol's editor. When I ca
-
Collective GR slip is not getting printed
Dear All, I have done all configs and also maintained MN21 conditions for WE03 output type (also for WE01) . It is printing individual slip (2 copies) and one copy as collective while taking printout after MIGO (4 is selected in despatch time). Actua
-
Hi guys does anyone know how to get rid of the bottom and top grey bars when in safari on the iphone.... they take up to much screen... is there a way to hide them and show them when you need them?
-
Can't plot image into WDT waveform graph
I'm trying to plot an icon onto a WDT waveform graph but it doesn't seem to be working. The image plots while using the default (array of doubles) data type, but goes missing when I change to WDT. As far as I can tell, the two graphs are the same exc
-
Hi, Although there are several post threads on this issue, i got confused to actually use which template. I want to add the ship to address to my existing BP database. Previously, i only upload the bill to address. My question is, which template shud