It's inbound from DMz perspective. Outbound is when traffic is leaving the interface. Inbound is when traffic is received at the interface from an initiating source
On Saturday, April 21, 2012, Imre Oszkar wrote: > > hmm..the interface association seems to be reasonable answer. > In case of the virtual IPs how do you differentiate between inbound or > outbound traffic? In my case the connection was sourced from dmz( > sec-level 50) to the virutal IP, is this inbound or outbound? > > Oszkar > > On Sat, Apr 21, 2012 at 4:17 AM, Kingsley Charles < > [email protected]> wrote: > > How will you make the ASA understand that address is being used for > virtual http or telnet when it is not being associated to an interface? > > So for inbound you need a static NAT. > > For outbound, you don't need it because that traffic will be intercepted > > With regards > Kings > > > On Sat, Apr 21, 2012 at 4:43 PM, Kingsley Charles < > [email protected]> wrote: > > Snippet from > http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/fwaaa.html > > > For inbound users (from lower security to higher security), you must also > include the virtual Telnet address as a destination interface in the access > list applied to the source interface. Moreover, you must add a > *static*command for the virtual Telnet IP address, even if NAT is not required > (using the* no nat-control* command). An identity NAT command is > typically used (where you translate the address to itself). > > With regards > Kings > > > On Sat, Apr 21, 2012 at 10:50 AM, Imre Oszkar <[email protected]> wrote: > > > ASA twilight zone? :) > > > On Fri, Apr 20, 2012 at 4:01 PM, Fawad Khan <[email protected]> wrote: > > A static Identity nat for the Virtual IP would be required.... dont ask me > why, :)............ also try to play with it like this > > static(inside,outside) 10.0.0.200 10.1.1.1 > > and it will still work. again, dont ask me why... I did the similar setup > couple of years back and did a typo in the static, but the solution worked > like a charm. > > FNK > > > On Fri, Apr 20, 2012 at 4:35 PM, Imre Oszkar <[email protected]> wrote: > > Hi, > > I have the following cut-trough proxy config on an ASA. > > aaa authentication match trigger dmz TACACS > access-list trigger extended permit tcp any any eq 2001 > access-list trigger extended permit tcp any host 10.0.0.200 eq www > access-list trigger extended permit tcp any host 10.0.0.201 eq telnet > > virtual http 10.0.0.200 > virtual telnet 10.0.0.201 > > For some reason the virtual IPs don't accept connections. Here is the log > I get on the ASA: > > %ASA-2-106001: Inbound TCP connection denied from 10.0.0.100/3088 to > 10.0.0.201/23 flags SYN on interface dmz > %ASA-2-106001: Inbound TCP connection denied from 10.0.0.100/1035 to > 10.0.0.200/80 flags SYN on interface dmz > > Any other form of network authentication is working well, including > listener and redirect. > > Please comment, > > Thanks, > Oszkar > > > > > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com > > > -- FNK
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
