Hi all
MPF can be applied to taffic through global policy, inside or outside
interface.
*Query 1 - MPF to global policy*
When we apply MPF to glopal policy, ASA matches the traffic at the incoming
traffic at ingress of each interface.
----------- match > ----------inside ASA outside -------------------- <
match-------
At the outside interface, will the ASA match the destination address of the
translated address or the unstranslated address?
static (inside,outside) 6.6.6.6 10.20.30.40
If a trafffic is coming inside with the a destination of 6.6.6.6. Will MPF
match 6.6.6.6 or 10.20.30.40?
*Query 2 - MPF at the outside interface*
When we apply MPF to the outside interface, the ASA matches the traffic on
the outside interface in both the directions.
------------inside ASA outside ------------<> match-------
When traffic is moving from inside to outside, then will the MPF see the
translated or un-translated source address?
When traffic is moving from outside to inside, then will the MPF see the
translated or un-translated destination address?
*Reason for this query*
When we want to match a flow, example HTTP, then we need to define a class
map. The class match can either match using the "match port" or "match
access-list". If we use the "access-list" option,
I am wondering which IP address should be used on the ACL.
With regards
Kings
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
