Hi Group, I've found that when using Virtual Telnet that I do not need any NAT entries for the Virtual IP when doing this configuration on an Inside interface (security level 100) and on a DMZ interface (security level 50), but I do need a NAT statement for the Virtual IP when doing this configuration on the Outside (Security level 0). I have NAT-Control turned off and tested with no NAT configured whatsoever.
At first when I tested on the Inside I assumed it had something to do with security levels respective to the interface the ACS server could be reached from, but then I tested this config' on my DMZ interface which had a lower security level than my ACS-facing interface and it still worked without a corresponding NAT statement. Next I thought maybe the NAT requirement is only for interfaces with a security level of 0, so I changed my outside interface to a level of 15. Still the lowest on the ASA, but not 0. NAT was still required though. Additionally, not only was it required, but it worked regardless if I specified Inside or DMZ as the real address interface in the NAT statement e.g. static (inside,outside) x.x.x.x x.x.x.x and static (dmz,outside) x.x.x.x x.x.x.x. Any ideas? Is NAT for the Virtual IP just a requirement for the lowest security level interface on the ASA? Seems like I'm missing something here. BTW, I had inbound "permit ip any any" on both the outside and dmz interfaces. Thanks, Jason
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
