Hi Mike, Is your ASA interface numbered with 192.10.1.100 outside or inside? I mean what security level is it? As far as I remember and recently confirmed it you have to have static NAT in case you connect to the lower security interface:
Static (inside,outside) 192.10.1.100 192.10.1.100 But when you connect to it from higher security level it should work without NAT. What are your ASA proxyarp settings ? Eugene From: [email protected] [mailto:[email protected]] On Behalf Of Mike Rojas Sent: Sunday, August 05, 2012 7:29 PM To: [email protected] Subject: [OSL | CCIE_Security] Virtual http Hello, Another interesting question is in regards of virtual HTTP on the ASA, if you are connected directly to the same broadcast domain as the virtual IP it does not work. If I try to do virtual http I get: %ASA-2-106001: Inbound TCP connection denied from 192.10.1.200/4475 to 192.10.1.100/80 flags SYN on interface <unknown-ifc> %ASA-2-106001: Inbound TCP connection denied from 192.10.1.200/4476 to 192.10.1.100/80 flags SYN on interface <unknown-ifc> If I use an external IP address as virtual HTTP, of course it works cuz the packet is process as it was going outbound, authentication is picked up and it works fine. Any thoughts? Mike
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
