Snippet from http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/fwaaa.html
For inbound users (from lower security to higher security), you must also include the virtual Telnet address as a destination interface in the access list applied to the source interface. Moreover, you must add a *static*command for the virtual Telnet IP address, even if NAT is not required (using the* no nat-control* command). An identity NAT command is typically used (where you translate the address to itself). With regards Kings On Sat, Apr 21, 2012 at 10:50 AM, Imre Oszkar <[email protected]> wrote: > > ASA twilight zone? :) > > > On Fri, Apr 20, 2012 at 4:01 PM, Fawad Khan <[email protected]> wrote: > >> A static Identity nat for the Virtual IP would be required.... dont ask >> me why, :)............ also try to play with it like this >> >> static(inside,outside) 10.0.0.200 10.1.1.1 >> >> and it will still work. again, dont ask me why... I did the similar setup >> couple of years back and did a typo in the static, but the solution worked >> like a charm. >> >> FNK >> >> >> On Fri, Apr 20, 2012 at 4:35 PM, Imre Oszkar <[email protected]> wrote: >> >>> Hi, >>> >>> I have the following cut-trough proxy config on an ASA. >>> >>> aaa authentication match trigger dmz TACACS >>> access-list trigger extended permit tcp any any eq 2001 >>> access-list trigger extended permit tcp any host 10.0.0.200 eq www >>> access-list trigger extended permit tcp any host 10.0.0.201 eq telnet >>> >>> virtual http 10.0.0.200 >>> virtual telnet 10.0.0.201 >>> >>> For some reason the virtual IPs don't accept connections. Here is the >>> log I get on the ASA: >>> >>> %ASA-2-106001: Inbound TCP connection denied from 10.0.0.100/3088 to >>> 10.0.0.201/23 flags SYN on interface dmz >>> %ASA-2-106001: Inbound TCP connection denied from 10.0.0.100/1035 to >>> 10.0.0.200/80 flags SYN on interface dmz >>> >>> Any other form of network authentication is working well, including >>> listener and redirect. >>> >>> Please comment, >>> >>> Thanks, >>> Oszkar >>> >>> >>> >>> >>> >>> >>> _______________________________________________ >>> For more information regarding industry leading CCIE Lab training, >>> please visit www.ipexpert.com >>> >>> Are you a CCNP or CCIE and looking for a job? Check out >>> www.PlatinumPlacement.com >>> >> >> > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
