ASA question routing models!
Hello!
I have a question about the routing function in ASA 5500. Scenario: the asa (inside int 192.168.1.1) is in default gateway for all inside nodes. We also have another network (192.168.2.0) inside, the asa route traffic to the net via only inside interface (192.168.1.1) can I know the pix dose NOT load this routing scenario, the asa will do?
Cordially /Jonny
Hi Jonny,
It clarifies your question? If so, close the post, which may be useful to others.
Concerning
REDA
Tags: Cisco Security
Similar Questions
-
Private of IPSec VPN-private network between ASA and router
Hello community,
This is first time for me to configure IPSec VPN between ASA and router. I have an ASA 5540 at Headquarters and 877 router to EH Branch
Headquarters ASA summary.
Peer IP: 111.111.111.111
Local network: 10.0.0.0
Branch
Peer IP: 123.123.123.123
LAN: 192.168.1.0/24
Please can someone help me set up the vpn.
Hello
This guide covers exactly what you need:
Establishment of ASDM and SDM - http://www.netcraftsmen.net/resources/archived-articles/273.html
Tunnel VPN - ASA to the router configuration:
http://www.Cisco.com/en/us/products/ps5855/products_configuration_example09186a0080a9a7a3.shtml#ASDM
Kind regards
Jimmy
-
tent fill a WRT110 with my Westell router/model model 7500 DSL
I want to fill the two devices, so I can plug in my new Blue-Ray to the Internet player that sits in a room without an Ethernet connection. I watched a single resource and told me that all I need to do is to make the SSID and the channel number, the same, but that has not worked. I also watched www.ehow.com and they recommended to disable DHCP and DNS settings, and the Firewall setting which I did but help either. I suppose my question would be if someone has already tried to use this model of router as a bridge or if someone can tell me if this model of router is able to act as a bridge. I looked on the site Web of Linksys and they won't list more of this model and have no support information. Thank you
WRT110 is a wireless router and it doesn't have a bridge function. There is no way you can bridge with your Westell. You can always join your Westell via an ethernet cable WRT110. With this configuration, you can have a wireless connection at home.
-
Newbie question route-map/access-list
I am quite new to the thing whole cisco here. I'm very hesitant to make changes as I am not sure that I take down the entire network of 200%. (We are a very small company)
We have a router cisco 1811 (yes I know its old)
We now have a road map and I'm trying to understand it to make it work the way we want. Basically, we have a few servers and we do not want some servers to use our cable internet connection, we want to use our T1. Our T1 uses an ASA5505 as a router. I don't know why, I know its not the best practice but I was just hired and that's all I have to say on this subject. I am doing as a result. Web traffic currently out our interface cable, everything, including the speed of transfer on speedtest.net out our T1. This makes the bad, bad VoIP phone calls. We also have a tunnel punch in Q1 of our other offices as well as our server Exchange2010 using T1. If our cable goes down, everything for the T1 (by design). We have a long list of defined access our route map - use corresponding ip. I want to change the access list to not allow local network IP addresses. I know that if I put in a whole ip allow it break our network and nothing comes out of the T1 line, and no one can get to our mail server more. So, I was thinking of adding some statements, but I was wondering if someone could help me with logic, so I know not if I will break the network. I wouldn't pull the laminated cord and use the console. (I really need get a USB serial interface). Now, you understand a little more about my situation now for all numbers, etc.
Network internal 90.0.0.0/24, 192.168.0.0/24 192.168.30.0/24, 172.20.0.0/16 (we use only 40 addresses, why they chose 16 is beyond me, stupid really)
PTP VPN: 192.168.116.0/24 comes and goes out our T1.
1811 router: 90.0.0.254/192.168.30.254/192.168.0.254
ASA: 90.0.0.50
!
follow the accessibility of ALS 40 ip 40
delay the decline 90 60
!
interface Vlan1
Description * INTERFACE LAN 90.0.0.x network * $FW_INSIDE$
IP 90.0.0.254 255.255.255.0
IP nat inside
IP virtual-reassembly
IP tcp adjust-mss 1452
route WEBPBR card intellectual property policy
!
interface Vlan10
Description * INTERFACE LAN NET 192.168.0.x * $FW_INSIDE$
IP 192.168.0.254 255.255.255.0
IP nat inside
IP helper 90.0.0.2
IP virtual-reassembly
route WEBPBR card intellectual property policy
!
! Static routes
IP forward-Protocol ND
IP route 0.0.0.0 0.0.0.0 90.0.0.50 track 20
IP route 0.0.0.0 0.0.0.0 197.164.245.109 200
IP route 8.8.8.8 255.255.255.255 197.164.245.109 permanent
IP route 10.250.10.0 255.255.255.0 90.0.0.50 permanent
IP route 172.20.0.0 255.255.0.0 90.0.0.50 permanent
IP route 208.67.220.220 255.255.255.255 197.164.245.109 permanent
WEBTRAFFIC extended IP access list
deny ip any host 208.67.222.222
deny ip any 172.20.0.0 0.0.255.255
refuse the host tcp 90.0.0.2 any eq www
refuse 90.0.0.14 tcp host any eq www
refuse 90.0.0.235 tcp host any eq www
refuse the host ip 192.168.0.40 everything
deny ip any host 192.168.0.40
refuse the host ip 192.168.0.41 all
deny ip any host 192.168.0.41
deny ip any host 192.168.0.221
refuse the host ip 192.168.0.221 all
refuse the host ip 192.168.0.225 all
refuse 90.0.0.10 tcp host any eq www
deny ip any host 192.168.0.225
refuse 90.0.0.11 tcp host any eq www
refuse 90.0.0.9 tcp host any eq www
refuse 90.0.0.8 tcp host any eq www
refuse 90.0.0.7 tcp host any eq www
refuse 90.0.0.6 tcp host any eq www
refuse the 90.0.0.1 tcp host any eq www
refuse 90.0.0.13 tcp host any eq www
refuse 90.0.0.200 tcp host any eq www
permit tcp any any eq www
allow the host ip 192.168.0.131 one
allow the host ip 192.168.0.130 one
allow the host ip 192.168.0.132 one
allow the host ip 192.168.0.133 one
allow the host ip 192.168.0.134 one
allow the host ip 192.168.0.135 one
allow the host ip 192.168.0.136 one
allow the host ip 192.168.0.137 one
allow the host ip 192.168.0.138 one
allow the host ip 192.168.0.139 one
allow the host ip 192.168.0.140 one
allow the host ip 192.168.0.141 one
allow the host ip 192.168.0.142 one
allow the host ip 192.168.0.143 one
allow the host ip 192.168.0.144 a
allow the host ip 192.168.0.145 one
allow the host ip 192.168.0.146 one
allow the host ip 192.168.0.147 one
allow the host ip 192.168.0.148 one
allow the host ip 192.168.0.149 one
allow the host ip 192.168.0.150 one
allow the host ip 90.0.0.80 one
allow the host ip 90.0.0.81 one
allow the host ip 90.0.0.82 one
allow the host ip 90.0.0.83 one
allow the host ip 90.0.0.84 one
allow the host ip 90.0.0.85 one
allow the host ip 90.0.0.86 one
allow the host ip 90.0.0.87 one
allow the host ip 90.0.0.88 one
allow the host ip 90.0.0.89 one
allow the host ip 90.0.0.90 one
allow the host ip 90.0.0.91 one
allow the host ip 90.0.0.92 one
allow the host ip 90.0.0.93 one
allow the host ip 90.0.0.94 one
allow the host ip 90.0.0.95 one
refuse the host tcp 90.0.0.3 any eq wwwALS IP 40
208.67.220.220 ICMP echo source interface Vlan1
Timeout 6000
frequency 20
ALS annex IP 40 life never start-time now
allowed WEBPBR 2 route map
corresponds to the IP WEBTRAFFIC
set ip next-hop to check the availability of the 197.164.245.109 1 track 40
That is how we have it set up right now. If I put in a few lines above WEBTRAFFIC with:
deny ip any 192.168.0.0 0.0.0.255
deny ip any 90.0.0.0 0.0.0.255
deny ip any 192.168.116.0 0.0.0.255
! Etc with all internal networks
* And then put at the bottom:
allow an ip
who will ALL break so we can not communicate with anything? Or is that what I did to do this, we get internal routing etc.? Also, I guess I'd put in 15 IP addresses that are coming in the SAA as well? (We have public IPS 14 (one for the T1 gateway) that would go as well?) I don't want to try to put in those at the top and make sure no one can do anything. I hope I made clear what I'm doing...
Post edited by: Ryan Young
I have not read this thread well enough to be able to talk to the intricacies of the issue whether this access will make what you want. But I can answer the specific question you are asking. Yes - the access list is top-down, transformed and if a few more top line in the access list matches, then treatment for this package will not get the license at the bottom of the access list.
HTH
Rick
-
Cisco Wireless router model WRT120N guard give up Internet connection
My wireless router will work for 6-8 hours, and then remove the connection to the internet. I switch the modem and the router several times to re-establish the connection. I'm also using a Netgear Access Point.
I use:
Charter high-speed Internet
Motorola Modem
Model Cisco WRT120N router
Parameters
Mixed-mode
Channel Auto width - 20 MHz or 40 MHz
Security - Personal WPA2
Disabled SSID broadcast
Firmware Version v1.0.04
Automatic connection Type - Conf DHCP
Beacon interval - 50
Fragmentation threshold 2304
RTS threshold 2304
All other settings are default.
When I unplug the modem to the router and plug it on the desktop I have internet service.
The connection is also falling only on wired or wireless?
Try to update the firmware on your router.
Connect to the computer with the Ethernet cable to the router.
Download the latest firmware from the site Web of Linksys and save it to your computer. Open the router configuration page. Click the Administration tab and switch to the sub tab upgrade the Firmware through the firmware file that you have already downloaded and update on your router.
After upgrading the firmware on the router, it is recommended that you must reset the router and reconfigure. Press and hold the reset button on the router for 30 seconds. Release the reset button and wait 10 seconds. Power cycle the router and reconfigure. -
Hi all
First of all, I would like to say I'm trying to implement this on Packet trace. I would like to set up a VPN using an ASA 5505 and a Cisco router 1841 (both available on Packet trace).
The devices can ping external IP address on the other.
The problem is that the VPN is not established. If I run sh crypto control its isakmp on the SAA, he said: there are no SAs IKEv1
Configurations for both devices are attached.
No idea why it doesn't work? Sorry if it is not the right forum for this, is the first time I post. I've searched the forums and I checked some of the proposed solutions, but I have not found the answer to my problem :-(
Thanks in advance,
Patty
- On the router, there is no crypto card. Need in a manner consistent with the SAA.
- Your policy of phase 1 is not compatible. They settings must match on both sides (router: 3des, ASA: aes)
- You can adjust your NAT on both devices that tunnel traffic does not get teeth. Remember that NAT is made prior to IPsec. If you do not exempt NAT traffic, then it will not match the ACL crypto more after NAT.
- Yes, the forum is perfectly fine! ;-)
-
Problem with IPsec VPN between ASA and router Cisco - ping is not response
Hello
I don't know because the IPsec VPN does not work. This is my setup (IPsec VPN between ASA and R2):
my network topology data:
LAN 1 connect ASA - 1 (inside the LAN)
PC - 10.0.1.3 255.255.255.0 10.0.1.1
ASA - GigabitEthernet 1: 10.0.1.1 255.255.255.0
-----------------------------------------------------------------
ASA - 1 Connect (LAN outide) R1
ASA - GigabitEthernet 0: 172.30.1.2 255.255.255.252
R1 - FastEthernet 0/0: 172.30.1.1 255.255.255.252
---------------------------------------------------------------------
R1 R2 to connect
R1 - FastEthernet 0/1: 172.30.2.1 255.255.255.252
R2 - FastEthernet 0/1: 172.30.2.2 255.255.255.252
R2 for lan connection 2
--------------------------------------------------------------------
R2 to connect LAN2
R2 - FastEthernet 0/0: 10.0.2.1 255.255.255.0
PC - 10.0.2.3 255.255.255.0 10.0.2.1
ASA configuration:
1 GigabitEthernet interface
nameif inside
security-level 100
IP 10.0.1.1 255.255.255.0
no downtime
interface GigabitEthernet 0
nameif outside
security-level 0
IP 172.30.1.2 255.255.255.252
no downtime
Route outside 0.0.0.0 0.0.0.0 172.30.1.1------------------------------------------------------------
access-list scope LAN1 to LAN2 ip 10.0.1.0 allow 255.255.255.0 10.0.2.0 255.255.255.0
object obj LAN
subnet 10.0.1.0 255.255.255.0
object obj remote network
10.0.2.0 subnet 255.255.255.0
NAT (inside, outside) 1 static source obj-local obj-local destination obj-remote control remote obj non-proxy-arp static-----------------------------------------------------------
IKEv1 crypto policy 10
preshared authentication
aes encryption
sha hash
Group 2
life 3600
Crypto ikev1 allow outside
crypto isakmp identity address------------------------------------------------------------
tunnel-group 172.30.2.2 type ipsec-l2l
tunnel-group 172.30.2.2 ipsec-attributes
IKEv1 pre-shared-key cisco123
Crypto ipsec transform-set esp-aes-192 ASA1TS, esp-sha-hmac ikev1-------------------------------------------------------------
card crypto ASA1VPN 10 is the LAN1 to LAN2 address
card crypto ASA1VPN 10 set peer 172.30.2.2
card crypto ASA1VPN 10 set transform-set ASA1TS ikev1
card crypto ASA1VPN set 10 security-association life seconds 3600
ASA1VPN interface card crypto outsideR2 configuration:
interface fastEthernet 0/0
IP 10.0.2.1 255.255.255.0
no downtime
interface fastEthernet 0/1
IP 172.30.2.2 255.255.255.252
no downtime-----------------------------------------------------
router RIP
version 2
Network 10.0.2.0
network 172.30.2.0------------------------------------------------------
access-list 102 permit ahp 172.30.1.2 host 172.30.2.2
access-list 102 permit esp 172.30.1.2 host 172.30.2.2
access-list 102 permit udp host 172.30.1.2 host 172.30.2.2 eq isakmp
interface fastEthernet 0/1
IP access-group 102 to------------------------------------------------------
crypto ISAKMP policy 110
preshared authentication
aes encryption
sha hash
Group 2
life 42300------------------------------------------------------
ISAKMP crypto key cisco123 address 172.30.1.2-----------------------------------------------------
Crypto ipsec transform-set esp - aes 128 R2TS------------------------------------------------------
access-list 101 permit tcp 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255
------------------------------------------------------
R2VPN 10 ipsec-isakmp crypto map
match address 101
defined by peer 172.30.1.2
PFS Group1 Set
R2TS transformation game
86400 seconds, life of security association set
interface fastEthernet 0/1
card crypto R2VPNI don't know what the problem
Thank you
If the RIP is not absolutely necessary for you, try adding the default route to R2:
IP route 0.0.0.0 0.0.0.0 172.16.2.1
If you want to use RIP much, add permissions ACL 102:
access-list 102 permit udp any any eq 520
-
ASA - question Interface (IPSec)
Is it possible on an ASA to "split" the interfaces (e0/0-e0/1 * e0/2-e0/3) to behave in ways that work as distinct from the ASA?
Goal (2 separate functions)
--------------------------------
Function 1
E0/0 - outside Interface - ISP
E0/1 - inside Interface - traditional LAN
2 function
E0/2 - Interface Outside2 - to be used for an IPSec tunnel through another external network (BGP cloud)
restricted E0/3 - Inside2 - LAN
*****************************************
-e0/2 e0/3 do not cross e0/0 or e0/1 (or vice versa).
-e0/2 is only used to connect to a remote site, so that the network of remote sites and e0/3 network communicate with each other.
*****************************************
I'm not sure it will work, as the route default statement e0/0 quad kill my traffic lanes of the tunnel between the remote and e0/3 site.
Thoughts or comments?
Yes, you should be fine. The command I posted above shows that packets are getting encrypted / decrypted. The ASA increments hit ACL of the charges for traffic encrypted/decrypted.
-
Hi all. I have an asa 5510 connected to a switch 3750 with RIP, routing between the two devices. I have problems passing the VPN subnet via rip to the 3750. I probably do not understand how the routing table is filled on the asa so patient with me. I noticed that the routing table is filled with the VPN subnet, when clients connect. So, for example, I 192.168.1.1/32 client 1 connects to the routing table of asa. I then put static redistribution in place through rip on the asa. However, the 3750 never receives the rip update of the asa. All other channels are exchanged between thin devices. Any suggestions?
Sent by Cisco Support technique Android app
OK good to know that all Saran works fine now for you!
If you want to RIP through the POOL VPN, you must enable IPP on the SAA, would be to inject the pool VPN in the routing of the ASA table, which makes the ASA see it as a static route, and then you move forward on your type of RIP "Redistribute static" process The ASA would pass it along as a well known road of his table.
Believe me, I went through the same thing as you are now, a few years back! It was a pain in the neck but finally had someone who helped me with it! It took me almost 1 month to get help. On the side VPN seem ok, but I couldn't reach my home network. I was told to do what I mentioned at the top.
Regarding the graphics integrated circuits in the network, they seem ok to configure and ask them to do the work for you, but if not well thought to before implementation, you could probably yourself shot in the leg with her on the road. For me before I understood of IGP I very well understand the static. That helped me understand the routing protocols.
I'm glad you're OK.
Have a good one Phil
Ted
-
ASA-to-router VPN, private, public
I have a setup where a customer will send calls to a Complutense University of MADRID, from a private address, through a VPN tunnel Terminal to a 2811. The call to hit a SBC that caters to the public and is located just behind the router on FE0/1. (See photo)
Traffic through the ASA is to be exempted from NAT.
Since it is all public on my end and my waypoints by default for the router of my ISP, I guess I don't have anything other than a default route. (I'm not under routing protocols - just a static outgoing route)
The tunnel does not come to the top. In fact, I never see that no traffic hit my side in all. Does anyone have experience making a private VPN, or know an example of config anywhere?
This is my Bill at the end of the config:
crypto ISAKMP policy 4
BA 3des
md5 hash
preshared authentication
Group 2
lifetime 28800
ISAKMP crypto key XXXXXXXXXX address (public #1) No.-xauth
Crypto ipsec transform-set esp-3des esp-md5-hmac XXXSET
XXXMAP 4 ipsec-isakmp crypto map
defined by peers (public address #1).
Set the security association idle time 3600
game of transformation-XXXSET
PFS group2 Set
match address 170
access-list 170 permit ip host (public address #3) 10.0.0.5
interface FastEthernet0/0
IP (public address #2) 255.255.255.252
load-interval 30
Speed 100
full-duplex
No cdp enable
card crypto XXXMAP
service-policy output AutoQoS-policy-UnTrust
Thank you
Paul
Your configuration looks very good.
Phase 1 comes up when you try to pass traffic through? "cry isa to show her.
Back P1, P2 comes up? "See the crypto ipsec his | I ident | SPI | BA | desc ".
If none is coming, run a debugging:
debugging cry isa
debugging ips cry
See if the tunnel is initiated when traffic is sent. As long as you have a default route pointing outgoing and don't have any other way, you should be fine. Looks like everything will be a connected network.
-
VPN peers on old ASA, reverse routing as we migrate to the new ASA and new Internet
Hello
I'm migrating my old Internet/VPN connection. How can I ensure that even existing VPN are addressed to my old/curreent ASA
While my default gateway must get out of my new internet link
Very vague question, given the lack of topology ;/
In general redistribute you your range of IP addresses downstream pool to the nucleus.
-
ASA 5510 routing issue.
Forgive me if this get confused.
I have a new ASA 5510, I set it up to use VPN. I can via IPSEC vpn and connect to 2 of my et.64 sous-reseaux.0 (we have 4 subnets in our range) I can ping, http, connect to the shares, SSH, etc. I use the ACL of our outgoing VPN module, so I have nothing here should be bad. The problem I have is learning to our network of laboratories located on the sous-reseau.128. I can't ping, connect, http anything.
Is there some special routing I need to do so that people that VPN in to see this subnet? (For test purposes the ASA is located behind the firewall and connected directly to the sous-reseau.0 so I know this isn't the firewall and everything else on that subnet can see our lab).
Thanks for helping on the new guy.
Shawn
Shawn-
Your sous-reseaux.0 &.64 is considered to be "interesting traffic" (by an ACL) and they are not NAT had sent through the VPN tunnel. You must add the sous-reseau.128 two the ACL that says no NAT and that specifies traffic interesting. If you encounter some snags, post a sanitized config and we will be able to give a more detailed response.
HTH
-
LAN to lan vpn between ASA and router 7200
Hi friends,
I need to configure the lan to lan between ASA vpn (remote location) and router 7200 (on our network).
<7200 router="" (ip="" add:="" 10.10.5.2)="">-(Internet) -<(IP add:="" 192.168.12.2)="" asa(5510)="">---192.135.5.0/24 network
I will have the following configuration:
7200 router:
crypto ISAKMP policy 80
the enc
AUTH pre-shared
Group 1
life 3600
ISAKMP crypto key cisco123 address 192.168.12.2
Cryto ipsec transform-set esp - esp-md5-hmac VPNtrans
map VPNTunnel 80 ipsec-isakmp crypto
defined by peer 192.168.12.2
game of transformation-VPNtrans
match address 110
int fa0/0
IP add 10.10.5.2 255.255.255.192
IP virtual-reassembly
no ip route cache
Speed 100
full duplex
card crypto VPNTunnel
access-list 110 permit ip any 192.135.5.0 0.0.0.255
ASA:
int e0/0
nameif inside
security-level 100
192.135.5.254 Add IP 255.255.255.0
int e0/1
nameif outside
security-level 0
IP add 192.168.12.2 255.255.255.240
access-list ACL extended ip 192.135.5.0 allow 255.255.255.0 any
Route outside 0.0.0.0 0.0.0.0.0 192.168.12.3 1
"pre-shared key auth" ISAKMP policy 10
ISAKMP policy 10-enc
ISAKMP policy 10 md5 hash
10 1 ISAKMP policy group
ISAKMP duration strategy of life 10-3600
Crypto ipsec transform-set esp - esp-md5-hmac VPNtran
card crypto VPN 10 matches the ACL address
card crypto VPN 10 set peer 10.10.5.2
card crypto VPN 10 the transform-set VPNtran value
tunnel-group 10.10.5.2 type ipsec-l2l
IPSec-attributes of type tunnel-group 10.10.5.2
cisco123 pre-shared key
card crypto VPN outside interface
ISAKMP allows outside
dhcpd address 192.135.5.1 - 192.135.5.250 inside
dhcpd dns 172.15.4.5 172.15.4.6
dhcpd wins 172.15.76.5 172.15.74.5
dhcpd lease 14400
dhcpd ping_timeout 500
dhcpd allow inside
Please check the configuration, please correct me if I missed something. I'm in a critical situation at the moment...
Please advise...
Thank you very much...
Where it fails at the present time?
Can you share out of after trying to establish the VPN tunnel:
See the isa scream his
See the ipsec scream his
Please also run the following debug to see where it is a failure:
debugging cry isa
debugging ipsec cry
(IP>7200> -
Hello
I have ASA 5505 behind a router, which is also a dmvpn (the router), on my ASA RADIUS I configured a remote access vpn.
But when I try to forward the VPN ports to my asa, I get problems with stability, with my talk about vpn on the router.
Is it possible to have a dmvpn to the router and vpn for remote access to my ASA?
I have attached the running configuration.
Thank you
Joelle,
The problem here is that your router and the ASA want to use udp port 500 and udp port 4500. Of course if you forward incoming ports then the dmvpn is not going to work and vice versa. What you can try to have your ezvpn use ipsec-over-tcp on port 10000 and that transmits to the place.
On the SAA configure "crypto isakmp ipsec-over-tcp port 10000.
On the change of the client connection information, click the transport tab and select ipsec-over-tcp.
On the router port forward tcp 10000 to the ASA.
Hope that helps.
-Jay
-
Exempt NAT and in cisco ASA intervlan routing scenario
Hi, I'm new to Cisco ASA. I did some study on Cisco ASA recently and you try to understand how it works.
The chart above illustrates the architecture of network in my company (attachment). The two FW (5520, version 8.0) are configured with nat control and same-security-traffic permit inter-interface. I have a ping of device A to unit B (10.10.105.244 > 10.10.70.70/24).
At FW 02, I added an inbound ACL (10.10.105.0/24 > 10.10.70.0/24) because of the difference in level of security between the input and output interface (SL 50 < sl="" 100).="" for="" the="" return="" traffic="" (10.10.70.0/24=""> 10.10.105.0/24), I only need to add a device nat exempted from the rules as I have it configured with permit same-security-traffic inter-interface. My understanding is correct?
FW 01, I need to add an entry ACL (10.10.70.0/24 > 10.10.105.244). Without the rule, my ping will be unsuccessful. Can I know why I need to add this rule to incoming traffic, because same-security-traffic permits inter-interface is set to FW 01? Can I know why I have no need to nat exempt traffic (10.10.105.0/24 > 10.10.70.0/24)?
Sorry for the long explanation. I hope to get clarification and to ensure that my interpretation is correct.
Thanks for all the comments. Have a nice day :)
Hello
For your first question: ""I know why I need to add this rule to incoming traffic, because the same-security-traffic inter-interface permit is set to FW 01?".
It probably has to do with the ICMP inspection. By default, ICMP traffic is not inspected by the ASA for the return of the device traffic B to the device will be dropped on FW 01. You must activate the ICMP inspection by adding it to the MPF on the SAA default configuration.
For your second question: "I know why I don't not need to nat exempt traffic (10.10.105.0/24 > 10.10.70.0/24)"?".
NAT-control does not affect the same security interfaces, i.e. the same security interfaces can communicate without NAT even if NAT-control is turned on (with some exceptions). See this link for more information.
Maybe you are looking for
-
Need AC adapter / CC for Satellite A30 614 / part number: PSA30E-1Q8EE
Hello I want to buy the power adapter for this below given phone model of information. I couldn't find the adapter on the website that this model is no longer in use. I need a help, then where to buy. I don't even have the adapter information. Please
-
Pavilion Touch Smart Sleekbook: Assistant HP
I uninstalled tune and then re-installed. It shows is no longer my machine name, product number and the serial number at the bottom of the window of the companion. How can I get that back?
-
I changed my mail, calendar and contacts with Microsoft Outlook for 2011. Right this minute I don't get any synchronization functions whatsover. Maybe I have to disable/trash Entourage? Suggestions would be greatly appreciated. Thank you Chris
-
Popup position with javascript.
HelloI'm trying to display using popup by clicking with the right mouse and using Javascript? Is there a way to transmit the exact position of the pixel click as an allusion to the show popup method?If not how do I make the popup to the click positi
-
HelloI have a problem with adobe, is to say that I need to update my payment and I tried several times but it's still not allowing me to update, there is nothing wrong with the credit card and it's frustrating trying to update, when you guys accepted