Re: [OSL | CCIE_Security] Virtual http

[Mike Rojas]

Hi Eugene,
 
My 192.10.1.x is on the inside.... If I try to access IP  192.10.1.200 it gave 
me the error below. 

%ASA-2-106001:
 Inbound TCP connection denied from 192.10.1.200/4475 to 192.10.1.100/80
 flags SYN  on interface <unknown-ifc>

Of course, if I use an external IP... as virtual IP, it works like a charm. 
Another thing now that you mention proxyArp, on the client I was able to see 
the mac for the virtual IP, however, I got that log. 

Mike. 
From: eug...@koiossystems.com
To: mike_c...@hotmail.com; ccie_security@onlinestudylist.com
Subject: RE: [OSL | CCIE_Security] Virtual http
Date: Mon, 6 Aug 2012 18:20:59 +0000









Hi Mike,
Is your ASA interface numbered with 192.10.1.100 outside or inside? I mean what 
security level is it?
As far as I remember and recently confirmed it you have to have static NAT in 
case you connect to the lower security interface:
 
Static (inside,outside) 192.10.1.100 192.10.1.100
 
But when you connect to it from higher security level it should work without 
NAT. What are your ASA proxyarp settings ?
 
Eugene
 


From: ccie_security-boun...@onlinestudylist.com 
[mailto:ccie_security-boun...@onlinestudylist.com]
On Behalf Of Mike Rojas

Sent: Sunday, August 05, 2012 7:29 PM

To: ccie_security@onlinestudylist.com

Subject: [OSL | CCIE_Security] Virtual http


 

Hello,




Another interesting question is in regards of virtual HTTP on the ASA, if you 
are connected directly to the same broadcast domain as the virtual IP it does 
not work.



If I try to do virtual http I get: 



%ASA-2-106001: Inbound TCP connection denied from 192.10.1.200/4475 to 
192.10.1.100/80 flags SYN  on interface <unknown-ifc>

%ASA-2-106001: Inbound TCP connection denied from 192.10.1.200/4476 to 
192.10.1.100/80 flags SYN  on interface <unknown-ifc>





If I use an external IP address as virtual HTTP, of course it works cuz the 
packet is process as it was going outbound, authentication is picked up and it 
works fine.




Any thoughts? 



Mike 

                                          
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

Are you a CCNP or CCIE and looking for a job? Check out 
www.PlatinumPlacement.com