We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is Why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You've Ever Spent on Your Cisco Career!
  • Full Access to our 537 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)

 

323 New Members signed up the last 30 days!

 
satisfaction-guaranteed

100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Tags: ,


Notable Replies

  1. hello Rene, a question about ACL
    if I read an acl written in this way:
    access-list 100 permit ip host 131.108.1.1 any....
    the keyword "any" means :
    " permit any packet from address 131.108.1.1 to any others address if configured , in this router, more 255.255.255.255 and more all mulsticast address? (224.0.0.9 for rip for example)
    131.108.1.1 is for example the adjacent router on my fa 0/0...( and so I have to configure acl in inboud)

  2. johxxn says:

    Hi Rene,

    I have that too, R2 points to the ASA, but the lab did not work for me. I think it is a static NAT issue because the ASA drops the packet due to rpf-check. Here is a packet tracer from the ASA

    ciscoasa# packet-tracer input OUTSIDE tcp 192.168.2.2 23 192.168.3.3 23
    
    Phase: 1
    Type: ACCESS-LIST
    Subtype: 
    Result: ALLOW
    Config:
    Implicit Rule
    Additional Information:
    MAC Access list
    
    Phase: 2
    Type: ROUTE-LOOKUP
    Subtype: input
    Result: ALLOW
    Config:
    Additional Information:
    in   192.168.3.0     255.255.255.0   DMZ
    
    Phase: 3
    Type: ACCESS-LIST
    Subtype: log
    Result: ALLOW
    Config:
    access-group OUTSIDE_INBOUND in interface OUTSIDE
    access-list OUTSIDE_INBOUND extended permit tcp any host 192.168.3.3 eq telnet 
    Additional Information:
    
    Phase: 4
    Type: IP-OPTIONS
    Subtype: 
    Result: ALLOW
    Config:
    Additional Information:
    
    Phase: 5
    Type: NAT
    Subtype: rpf-check
    Result: DROP
    Config:
    object network WEB_SERVER
     nat (DMZ,OUTSIDE) static 192.168.2.200
    Additional Information:
    
    Result:
    input-interface: OUTSIDE
    input-status: up
    input-line-status: up
    output-interface: DMZ
    output-status: up
    output-line-status: up
    Action: drop
    Drop-reason: (acl-drop) Flow is denied by configured rule
  3. Hi John,

    That makes sense :slight_smile: In my example I didn't have NAT configured...just the IP addresses and security levels on the ASA, that's it.

    Rene

  4. Hi Oskar,

    If this was a real network with Internet connectivity and public/private addresses then yes, you would need NAT. In this example however it's just an ASA with three interfaces. Nothing has to be translated.

    Rene

Continue the discussion forum.networklessons.com

19 more replies

Participants