a static identity nat for the virtual ip-s fixed the problem..however I don't get the idea why do we need that. The traffic was sourced from a higher sec interface(dmz) to a lower sec interface (outside)
On Fri, Apr 20, 2012 at 1:35 PM, Imre Oszkar <[email protected]> wrote: > Hi, > > I have the following cut-trough proxy config on an ASA. > > aaa authentication match trigger dmz TACACS > access-list trigger extended permit tcp any any eq 2001 > access-list trigger extended permit tcp any host 10.0.0.200 eq www > access-list trigger extended permit tcp any host 10.0.0.201 eq telnet > > virtual http 10.0.0.200 > virtual telnet 10.0.0.201 > > For some reason the virtual IPs don't accept connections. Here is the log > I get on the ASA: > > %ASA-2-106001: Inbound TCP connection denied from 10.0.0.100/3088 to > 10.0.0.201/23 flags SYN on interface dmz > %ASA-2-106001: Inbound TCP connection denied from 10.0.0.100/1035 to > 10.0.0.200/80 flags SYN on interface dmz > > Any other form of network authentication is working well, including > listener and redirect. > > Please comment, > > Thanks, > Oszkar > > > > > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
