Hi Kings, The thing is that I had ARP for the virtual IP on the clients without the static configured. As you can see the traffic from the client hit the ASA and got dropped. Because of that I don't see how the static could be an ARP/PROXY ARP related requirement in this case.
Oszkar On Fri, Apr 20, 2012 at 8:38 PM, Kingsley Charles < [email protected]> wrote: > You need static entry when it is on lower security. It adds an arp entry > and does a proxy arp to response to ARP request coming for that virtual ip. > > With regards > Kings > > On Sat, Apr 21, 2012 at 2:15 AM, Imre Oszkar <[email protected]> wrote: > >> a static identity nat for the virtual ip-s fixed the problem..however I >> don't get the idea why do we need that. The traffic was sourced from a >> higher sec interface(dmz) to a lower sec interface (outside) >> >> >> On Fri, Apr 20, 2012 at 1:35 PM, Imre Oszkar <[email protected]> wrote: >> >>> Hi, >>> >>> I have the following cut-trough proxy config on an ASA. >>> >>> aaa authentication match trigger dmz TACACS >>> access-list trigger extended permit tcp any any eq 2001 >>> access-list trigger extended permit tcp any host 10.0.0.200 eq www >>> access-list trigger extended permit tcp any host 10.0.0.201 eq telnet >>> >>> virtual http 10.0.0.200 >>> virtual telnet 10.0.0.201 >>> >>> For some reason the virtual IPs don't accept connections. Here is the >>> log I get on the ASA: >>> >>> %ASA-2-106001: Inbound TCP connection denied from 10.0.0.100/3088 to >>> 10.0.0.201/23 flags SYN on interface dmz >>> %ASA-2-106001: Inbound TCP connection denied from 10.0.0.100/1035 to >>> 10.0.0.200/80 flags SYN on interface dmz >>> >>> Any other form of network authentication is working well, including >>> listener and redirect. >>> >>> Please comment, >>> >>> Thanks, >>> Oszkar >>> >>> >>> >>> >>> >>> >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> Are you a CCNP or CCIE and looking for a job? Check out >> www.PlatinumPlacement.com >> > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
