We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is Why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • [geot exclude_region="No Trial" ] Try for Just $1. The Best Dollar You've Ever Spent on Your Cisco Career![/geot]
  • Full Access to our 541 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)


303 New Members signed up the last 30 days!


100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Tags: ,

Notable Replies

  1. hello Rene, a question about ACL
    if I read an acl written in this way:
    access-list 100 permit ip host any....
    the keyword "any" means :
    " permit any packet from address to any others address if configured , in this router, more and more all mulsticast address? ( for rip for example) is for example the adjacent router on my fa 0/0...( and so I have to configure acl in inboud)

  2. johxxn says:

    Hi Rene,

    I have that too, R2 points to the ASA, but the lab did not work for me. I think it is a static NAT issue because the ASA drops the packet due to rpf-check. Here is a packet tracer from the ASA

    ciscoasa# packet-tracer input OUTSIDE tcp 23 23
    Phase: 1
    Result: ALLOW
    Implicit Rule
    Additional Information:
    MAC Access list
    Phase: 2
    Subtype: input
    Result: ALLOW
    Additional Information:
    in   DMZ
    Phase: 3
    Subtype: log
    Result: ALLOW
    access-group OUTSIDE_INBOUND in interface OUTSIDE
    access-list OUTSIDE_INBOUND extended permit tcp any host eq telnet 
    Additional Information:
    Phase: 4
    Type: IP-OPTIONS
    Result: ALLOW
    Additional Information:
    Phase: 5
    Type: NAT
    Subtype: rpf-check
    Result: DROP
    object network WEB_SERVER
     nat (DMZ,OUTSIDE) static
    Additional Information:
    input-interface: OUTSIDE
    input-status: up
    input-line-status: up
    output-interface: DMZ
    output-status: up
    output-line-status: up
    Action: drop
    Drop-reason: (acl-drop) Flow is denied by configured rule
  3. Hi John,

    That makes sense :slight_smile: In my example I didn't have NAT configured...just the IP addresses and security levels on the ASA, that's it.


  4. Hi Oskar,

    If this was a real network with Internet connectivity and public/private addresses then yes, you would need NAT. In this example however it's just an ASA with three interfaces. Nothing has to be translated.


Continue the discussion forum.networklessons.com

19 more replies