[OSL | CCIE_Security] Packet tracer from out to in with multicontext

Hi all When I run packet tracer from out to in, I get the following O/P. Now the outside interface is shared between contexts but I have configured for mac address-auto. Traffic is passing without any issues. Thoughts please. asa1/admin(config)# packet-tracer input outside tcp 20.10.30.40 1024

Re: [OSL | CCIE_Security] Packet tracer from out to in with multicontext

Typo, the dest port is 23... On Wed, Jul 4, 2012 at 5:45 PM, Kingsley Charles kingsley.char...@gmail.com wrote: Hi all When I run packet tracer from out to in, I get the following O/P. Now the outside interface is shared between contexts but I have configured for mac address-auto. Traffic

Re: [OSL | CCIE_Security] Packet tracer from out to in with multicontext

Kings, Packet Tracer is buggy in multiple context mode (some certain scenarios). Maybe they fixed it in 8.2, but not 100% of that. Regards, -- Piotr Kaluzny CCIE #25665 (Security), CCSP, CCNP Sr. Support Engineer - IPexpert, Inc. URL: http://www.IPexpert.com On Wed, Jul 4, 2012 at 3:49 PM,

[OSL | CCIE_Security] Task 1.10 Filtering on the ASA

This is a very basic question and more so about the lingo. This task calls out, on the second line that the ACS should never be filtered. Does that mean that is applicable for the entire task and hence we would apply it for java and activex and also url and ftp or just do it for java and activex

[OSL | CCIE_Security] dot1x webauth fallback

Hi guys, I'm having difficulties to configure dot1x with webauth fallback. Dot1x for clients with supplicant works fine, but when I connect a non supplicant client webauth fallback fails to work. Once the dot1x timers expire the switchport fallbacks to webauth authentication method, I can see

Re: [OSL | CCIE_Security] Static Policy NAT with L4 ACL

Ben, You actually can do it with a port, however as you rightly mentioned it would be for the source port. Static PAT is always for source port translations so something like the following scenario should work fine. Real Address 10.10.10.10 Translated Address 20.20.20.20 Port to be used 23

Re: [OSL | CCIE_Security] Packet tracer from out to in with multicontext

Correct, Try with real traffic if it doesnt work, use NAT which is the second method that the firewall uses for packet classification, a regular self translation should do it. Mike Date: Wed, 4 Jul 2012 16:00:31 +0200 From: pio...@ipexpert.com To: kingsley.char...@gmail.com CC:

Re: [OSL | CCIE_Security] VACL blocking fragments

Seems like explicitly excluding the fragments will fix the problem.. access-list 123 deny icmp any any fragments access-list 123 permit icmp any any unreachable Still not sure why VACL drop the fragments by default , but I have checked with CAT 3560/CAT3750 different IOS versions and had the