It is not "that´s just the way it is. Noone knows why". That is the answer.
Ok, issue "sh arp" on the ASA: Do you see ASA's interface IP address to MAC address mappings? Similarly, issue "sh arp" on an IOS router. You can see router's Ethernet interfaces IP address to MAC address mapping. Also note the age is "-", meaning it does not timeout ARP table should have the mappings of other devices in the ethernet domain. Just think, why does the ARP table have it's own interfaces mappings. In Ethernet, a devices will process a frame only if the frame has a destination MAC address that is same as the interfaces MAC address. As soon you configure IP address for an interface, the devices knows that the IP address belongs to it and will reply, if there is ARP request for that IP address. For cases like NAT, virtual NAT, SSLVPN where these features uses IP Address but doesn't have MAC. You need L2 addresses for these address. Mostly, the L2 addresses are interface MAC address on which it is configured. If there is no L2 address for these feature IP address, then if there host sending request for that feature IP address, the device will not respond with an ARP reply as there is not L2 address. Only with static rule, you the ASA to use interface MAC address for the APR reply when there is host sending an ARP request for the virtual telnet IP address Some examples: ASA Virtual telnet or http, add a static rule. This will assoicate outside interface MAC to the virtual IP Address mostly. Any ARP request to the virtual IP Address, ARP reply is sent with the interfaces MAC address IOS NAT rules - You can observe that for the outside Global address, the nat outside MAC address are used. When using NAT, check "sh arp". With regards Kings On Mon, Apr 26, 2010 at 3:22 PM, Jimmy Larsson <[email protected]> wrote: > Oh, sounds like another "that´s just the way it is. Noone knows why". ;) > > Thanks alot for the explanation, Kings! > > /Jimmy > > 2010/4/26 Kingsley Charles <[email protected]> > > In an Ethernet environment, ARP is used to resolve IP to MAC addresses. >> >> With ASA, when you configure an IP Address for an interface, then it adds >> a mapping of the interface IP address to MAC address. Any host sending ARP >> request to reach the ASA interface, the ASA sends a ARP reply. >> >> Now when you configure a virtual telnet and host is sending an ARP request >> to the virtual address, the ASA needs to reply to it. >> >> Only if you configure static rule for the virtual address, the ASA will >> add a mac address mapping of it's interface for the virtual IP address. Now >> the ASA send APR reply. >> >> >> With regards >> Kings >> On Mon, Apr 26, 2010 at 2:33 PM, Jimmy Larsson <[email protected]>wrote: >> >>> Yeah, I understand that. But the task is about traffic TO the ASA not >>> thru it. Why doing a static for the virtual ip? Anyone? >>> >>> Br Jimmy >>> >>> >>> 2010/4/26 Stojanco Cavdarov <[email protected]> >>> >>> Hi Jimmy >>>> >>>> I can't answer why is needed, but we had huge discussion for static NAT, >>>> and if I understood it, the conclusion was that >>>> >>>> static (inside,outside) 1.1.1.1 2.2.2.2, and >>>> static (outside,inside) 2.2.2.2 1.1.1.1 >>>> >>>> ... will do the same thing. So if you're using (in,out) incomming >>>> packets with src OR dst address 2.2.2.2 will be translated to 1.1.1.1, >>>> outgoing packets from OR to: 1.1.1.1 will be translated to 2.2.2.2 >>>> >>>> I might be wrong on this though. >>>> >>>> On Mon, Apr 26, 2010 at 10:03 AM, Jimmy Larsson >>>> <[email protected]>wrote: >>>> >>>>> Hi >>>>> >>>>> In task 1.9 I create a virtual-telnet for authentication of inbound >>>>> traffic. But why is the "static (inside,outside) 192.1.24.9 192.1.24.9" >>>>> needed? I telnet to the virtual ip from outside (R2). Why static? and why >>>>> to >>>>> inside? >>>>> >>>>> Br Jimmy >>>>> >>>>> >>>>> -- >>>>> ------- >>>>> Jimmy Larsson >>>>> Ryavagen 173 >>>>> s-26030 Vallakra >>>>> Sweden >>>>> http://blogg.kvistofta.nu >>>>> ------- >>>>> >>>>> _______________________________________________ >>>>> For more information regarding industry leading CCIE Lab training, >>>>> please visit www.ipexpert.com >>>>> >>>>> >>>> >>> >>> >>> -- >>> ------- >>> Jimmy Larsson >>> Ryavagen 173 >>> s-26030 Vallakra >>> Sweden >>> http://blogg.kvistofta.nu >>> ------- >>> >>> _______________________________________________ >>> For more information regarding industry leading CCIE Lab training, please >>> visit www.ipexpert.com >>> >>> >> > > > -- > ------- > Jimmy Larsson > Ryavagen 173 > s-26030 Vallakra > Sweden > http://blogg.kvistofta.nu > ------- >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
