Higher sec to lower sec - outbound Lower sec to higher sec - inbound
With regards Kings On Sat, Apr 21, 2012 at 9:48 PM, Imre Oszkar <[email protected]> wrote: > > hmm..the interface association seems to be reasonable answer. > In case of the virtual IPs how do you differentiate between inbound or > outbound traffic? In my case the connection was sourced from dmz( > sec-level 50) to the virutal IP, is this inbound or outbound? > > Oszkar > > On Sat, Apr 21, 2012 at 4:17 AM, Kingsley Charles < > [email protected]> wrote: > >> How will you make the ASA understand that address is being used for >> virtual http or telnet when it is not being associated to an interface? >> >> So for inbound you need a static NAT. >> >> For outbound, you don't need it because that traffic will be intercepted >> >> With regards >> Kings >> >> >> On Sat, Apr 21, 2012 at 4:43 PM, Kingsley Charles < >> [email protected]> wrote: >> >>> Snippet from >>> http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/fwaaa.html >>> >>> >>> For inbound users (from lower security to higher security), you must >>> also include the virtual Telnet address as a destination interface in the >>> access list applied to the source interface. Moreover, you must add a * >>> static* command for the virtual Telnet IP address, even if NAT is not >>> required (using the* no nat-control* command). An identity NAT command >>> is typically used (where you translate the address to itself). >>> >>> With regards >>> Kings >>> >>> >>> On Sat, Apr 21, 2012 at 10:50 AM, Imre Oszkar <[email protected]> wrote: >>> >>>> >>>> ASA twilight zone? :) >>>> >>>> >>>> On Fri, Apr 20, 2012 at 4:01 PM, Fawad Khan <[email protected]> wrote: >>>> >>>>> A static Identity nat for the Virtual IP would be required.... dont >>>>> ask me why, :)............ also try to play with it like this >>>>> >>>>> static(inside,outside) 10.0.0.200 10.1.1.1 >>>>> >>>>> and it will still work. again, dont ask me why... I did the similar >>>>> setup couple of years back and did a typo in the static, but the solution >>>>> worked like a charm. >>>>> >>>>> FNK >>>>> >>>>> >>>>> On Fri, Apr 20, 2012 at 4:35 PM, Imre Oszkar <[email protected]>wrote: >>>>> >>>>>> Hi, >>>>>> >>>>>> I have the following cut-trough proxy config on an ASA. >>>>>> >>>>>> aaa authentication match trigger dmz TACACS >>>>>> access-list trigger extended permit tcp any any eq 2001 >>>>>> access-list trigger extended permit tcp any host 10.0.0.200 eq www >>>>>> access-list trigger extended permit tcp any host 10.0.0.201 eq telnet >>>>>> >>>>>> virtual http 10.0.0.200 >>>>>> virtual telnet 10.0.0.201 >>>>>> >>>>>> For some reason the virtual IPs don't accept connections. Here is >>>>>> the log I get on the ASA: >>>>>> >>>>>> %ASA-2-106001: Inbound TCP connection denied from 10.0.0.100/3088 to >>>>>> 10.0.0.201/23 flags SYN on interface dmz >>>>>> %ASA-2-106001: Inbound TCP connection denied from 10.0.0.100/1035 to >>>>>> 10.0.0.200/80 flags SYN on interface dmz >>>>>> >>>>>> Any other form of network authentication is working well, including >>>>>> listener and redirect. >>>>>> >>>>>> Please comment, >>>>>> >>>>>> Thanks, >>>>>> Oszkar >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> For more information regarding industry leading CCIE Lab training, >>>>>> please visit www.ipexpert.com >>>>>> >>>>>> Are you a CCNP or CCIE and looking for a job? Check out >>>>>> www.PlatinumPlacement.com >>>>>> >>>>> >>>>> >>>> >>>> _______________________________________________ >>>> For more information regarding industry leading CCIE Lab training, >>>> please visit www.ipexpert.com >>>> >>>> Are you a CCNP or CCIE and looking for a job? Check out >>>> www.PlatinumPlacement.com >>>> >>> >>> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
