Exclude the PAT‟ed devices behind R2. ip tcp intercept list WEB_SERVER ip tcp intercept max-incomplete low 150 high 300 ip tcp intercept mode watch ip tcp intercept drop-mode random ! ip access-list extended WEB_SERVER deny tcp host 9.9.156.2 host 10.0.45.4 permit tcp any host 10.0.45.4
Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Managing Partner / Sr. Instructor - IPexpert, Inc. Mailto: [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at www.ipexpert.com/communities and our public website at www.ipexpert.com -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of [email protected] Sent: Thursday, October 07, 2010 11:55 AM Cc: [email protected]; [email protected] Subject: [OSL | CCIE_Security] Lab 2A question Hello, there is a line in the access-list i am not sure why it is there. Cannot see any related info in lab tasks. Could someone pls explain ip access-list ext WEB_SERVWER deny tcp host 9.9.156.2 host 10.0.45.4 - ?? permit tcp any host 10.0.45.4 Much appreciated From: Buck Wallander <[email protected]> To: Kingsley Charles <[email protected]> Cc: [email protected] Date: 10/07/2010 08:44 AM Subject: Re: [OSL | CCIE_Security] ASA CA server Sent by: [email protected] You can't access by the IP address, you have to access it by the URL that get's emailed to you (or enrolled users) via the full link, including going by the hostname. In my case I don't have valid public DNS records so I just make a localhost entry. On Thu, Oct 7, 2010 at 7:44 AM, Kingsley Charles < [email protected]> wrote: Hi all I am trying to lab up an ASA CA server. As per the both the links given below (CCIE doc and IPE blog by Stu), I see that the enrollment url is https://hostname/+CSCOCA+/enroll.html. Instead of the hostname, I tried putting the ASA's inside and outside IP address but I didn't get the enrollment page. http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/cert_cfg.html#wp1067997 http://blog.ipexpert.com/2010/07/28/asa-local-ca-server/ Then I tried enabling http as following, I got the http authentication pop up but still doesn't work. http server enable http 0.0.0.0 0.0.0.0 outisde http 0.0.0.0 0.0.0.0 inside Has anyone tried it? With regards Kings _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
