Hello,
1) why virtual IP on inside?
Well, some scenarios will require that. E.g., you have only one outide
IP assigned
by the SP to you, you simply do not have a spare IP for the virtual IP
on the outside.
Another, more relevant scenario, is when you own your own block of public IPs,
and your ASAs are connected to (varios) SPs via private IP links;
you'll reserve then
virtual IPs that are on the inside. (While in task 1.9 they just want
to make the things
a bit more difficult for you.)
2) Why statics?
As you probably know, historically asa (which is adaptive security algorithm
used in pix'es) prohibited any connections to identity (which is any
IP owned by the FW)
"through" the firewall. E.g., you're not allowed to connect (e.g.,
telnet) to the inside
interface from the outside. If you try you'll get:
%ASA-6-302014: Teardown TCP connection 5853941 for
outside:10.10.13.1/38913 to identity:10.10.3.10/23 duration
0:00:00 bytes 0 TCP Reset-I
and RST is sent immediately.
I believe, the internal asa mechanism preventing these connections is
the absence of
the translation slot (xlate), which is a very generic security
precaution in asa.
The way to work around this is to create a translation slot for an
identity statically, e.g.:
static(i,o) 10.10.3.10 10.10.3.10
Now, telnetting to inside interface from the outside doesn' trigger
the generic "no xlate" block,
however the communication is still dropped by the other security mechanism:
Deny IP spoof from (10.10.13.1) to 10.10.3.10 on interface outside
Now, my hypotesis is that probably cisco found it more convenient to
lift the "deny ip spoof"
limitation for virtual telnet (and http) rather than to by-pass the (much more)
generic "no xlate" blocking mechanism.
I'd like very much to hear other opinions on that matter. Thank you.
========================================================
>>>>> On Mon, Apr 26, 2010 at 10:03 AM, Jimmy Larsson
>>>>> <[email protected]>wrote:
>>>>>
>>>>>> Hi
>>>>>>
>>>>>> In task 1.9 I create a virtual-telnet for authentication of
>>>>>> inbound traffic. But why is the "static (inside,outside) 192.1.24.9
>>>>>> 192.1.24.9"
>>>>>> needed? I telnet to the virtual ip from outside (R2). Why static?
>>>>>> and why to inside?
>>>>>>
>>>>>> Br Jimmy
>>>>>>
>>>>>>
==========================================================
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
