Eugene, I did... I will forward you my config in a bit.
Mike Rojas From: [email protected] To: [email protected]; [email protected] Subject: RE: [OSL | CCIE_Security] Virtual http Date: Mon, 6 Aug 2012 19:41:17 +0000 Hm... This only makes me believe you don’t have an ACE in your Cut Through Proxy triggering ACL. And this ACE should include port 80 to 192.10.1.100. Just tested it and confirmed it works for me. My ASA config sections: ASA2(config)# sh run inter ! interface Ethernet0/0 nameif inside security-level 100 ip address 192.1.49.2 255.255.255.0 ! interface Ethernet0/1 nameif outside security-level 0 ip address 10.2.2.2 255.255.255.0 ! access-list CTP-ACL extended permit tcp any host 10.2.2.1 eq www access-list CTP-ACL extended permit tcp any host 10.2.2.1 eq ssh access-list CTP-ACL extended permit tcp any host 192.1.49.100 eq www ! virtual http 192.1.49.100 ! aaa authentication match CTP-ACL inside LOCAL Hosts on the inside (192.1.49.200) initiated the connection in the browser to the router running HTTP (10.2.2.1) and the ASA intercepted it and challenged with an authentication screen. Then having authenticated using the ASA local username I was challenged with the router HTTP login window Eugene From: Mike Rojas [mailto:[email protected]] Sent: Monday, August 06, 2012 11:41 AM To: Eugene Pefti; [email protected] Subject: RE: [OSL | CCIE_Security] Virtual http Hi Eugene, My 192.10.1.x is on the inside.... If I try to access IP 192.10.1.200 it gave me the error below. %ASA-2-106001: Inbound TCP connection denied from 192.10.1.200/4475 to 192.10.1.100/80 flags SYN on interface <unknown-ifc> Of course, if I use an external IP... as virtual IP, it works like a charm. Another thing now that you mention proxyArp, on the client I was able to see the mac for the virtual IP, however, I got that log. Mike. From: [email protected] To: [email protected]; [email protected] Subject: RE: [OSL | CCIE_Security] Virtual http Date: Mon, 6 Aug 2012 18:20:59 +0000 Hi Mike, Is your ASA interface numbered with 192.10.1.100 outside or inside? I mean what security level is it? As far as I remember and recently confirmed it you have to have static NAT in case you connect to the lower security interface: Static (inside,outside) 192.10.1.100 192.10.1.100 But when you connect to it from higher security level it should work without NAT. What are your ASA proxyarp settings ? Eugene From: [email protected] [mailto:[email protected]] On Behalf Of Mike Rojas Sent: Sunday, August 05, 2012 7:29 PM To: [email protected] Subject: [OSL | CCIE_Security] Virtual http Hello, Another interesting question is in regards of virtual HTTP on the ASA, if you are connected directly to the same broadcast domain as the virtual IP it does not work. If I try to do virtual http I get: %ASA-2-106001: Inbound TCP connection denied from 192.10.1.200/4475 to 192.10.1.100/80 flags SYN on interface <unknown-ifc> %ASA-2-106001: Inbound TCP connection denied from 192.10.1.200/4476 to 192.10.1.100/80 flags SYN on interface <unknown-ifc> If I use an external IP address as virtual HTTP, of course it works cuz the packet is process as it was going outbound, authentication is picked up and it works fine. Any thoughts? Mike
<<attachment: image001.png>>
<<attachment: image002.png>>
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
