That is one factor. The other thing, is that if you use auth-proxy with match option the traffic matching is reversed.
For include option, for inbound and outbound direction, the local network is always first and then comes the remote network. With match option, for outbound, source network is the local network and destination is remote network. For inbound, the source network is remote network and destination network is local network thus it is the translated network. With regards Kings On Sun, Feb 14, 2010 at 11:30 PM, Brian Schultz <[email protected]> wrote: > So if auth proxy is set to match an ACL, the auth occurs before NAT? And > if auth is set to include, NAT occurs first then it matches the specified > networks? > > > > On Sun, Feb 14, 2010 at 11:51 AM, Kingsley Charles < > [email protected]> wrote: > >> Hi Brian >> >> With include option, the idea is bit different as following: >> >> include <local network> <remote network> >> >> The local network is the network connected to the inside interface i.e., >> higher security level >> >> The remote network is the network connected to the outside interface i., >> lower security level >> >> It applies to both inbound and outbound auth-proxy. >> >> >> >> With regards >> Kings >> >> On Sun, Feb 14, 2010 at 11:12 PM, Brian Schultz <[email protected]>wrote: >> >>> For inbound authentication through the ASA, I can make it work by >>> matching an ACL to the outside IP like this. >>> >>> *access-list Inbound_Auth_ACL extended permit tcp any host 192.1.24.15 >>> eq telnet >>> aaa authentication match Inbound_Auth_ACL outside AuthInbound* >>> static (inside,outside) 192.1.24.15 10.2.2.5 netmask 255.255.255.255 >>> access-list OUTSIDE_IN extended permit tcp host 192.1.24.4 host >>> 192.1.24.15 eq telnet >>> >>> >>> However, if I setup specific auth include, I have to use the inside >>> address to make it work: >>> >>> *aaa authentication include telnet outside 10.2.2.5 255.255.255.255 0 0 >>> AuthInbound* >>> static (inside,outside) 192.1.24.15 10.2.2.5 netmask 255.255.255.255 >>> access-list OUTSIDE_IN extended permit tcp host 192.1.24.4 host >>> 192.1.24.15 eq telnet >>> >>> >>> I'm trying to figure out the order of operation and why each method acts >>> differently. Any suggestions? >>> >>> >>> Thanks, >>> Brian >>> >>> _______________________________________________ >>> For more information regarding industry leading CCIE Lab training, please >>> visit www.ipexpert.com >>> >>> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
