We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is Why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You've Ever Spent on Your Cisco Career!
  • Full Access to our 637 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)

 

374 New Members signed up the last 30 days!

satisfaction-guaranteed

100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Tags: ,


Forum Replies

  1. Hi Rene,

    I have that too, R2 points to the ASA, but the lab did not work for me. I think it is a static NAT issue because the ASA drops the packet due to rpf-check. Here is a packet tracer from the ASA

    ciscoasa# packet-tracer input OUTSIDE tcp 192.168.2.2 23 192.168.3.3 23
    
    Phase: 1
    Type: ACCESS-LIST
    Subtype: 
    Result: ALLOW
    Config:
    Implicit Rule
    Additional Information:
    MAC Access list
    
    Phase: 2
    Type: ROUTE-LOOKUP
    Subtype: input
    Result: ALLOW
    Config:
    Additional Information:
    in   192.168.3.0     255.255.255.0   DMZ
    
    Phase: 3
    Type: ACCESS-LIST
    Subtype: log
    Result:
    ... Continue reading in our forum

  2. Hi Asi,

    Here’s a good document from Cisco that explains the “order of operation” for the ASA:

    Cisco ASA Packet Flow

    The packet tracer tool on the ASA is also great to answer this question. For example:

    ASA# packet-tracer input INSIDE tcp 192.168.1.1 50001 1.2.3.4 80

    This will show us the packet flow for a host that is using IP address 192.168.1.1 and who wants to connect to TCP port 80 on 1.2.3.4. Here’s the result:

    Phase: 1
    Type: ACCESS-LIST
    Subtype: 
    Result: ALLOW
    Config:
    Implicit Rule
    Additional Information:
    MAC Access list
    
    Phase: 2
    Type: ROUTE-LOOKUP
    Subty
    ... Continue reading in our forum

  3. Hi Rene,

    Awesome lab.

    Quick question I come from cisco IOS routing and switching background and had a question about the ACL Processing, how does it process the ACLs in terms of do i need to enter a permit ip any any at the end of each ACL Name?

    Thanks.

  4. Hi Rene,

    a question regarding those statements:

    •When you create an ACL statement for inbound traffic (lower to higher security level) then the destination IP address has to be: ◦The translated address for any ASA version before 8.3.
    ◦The real address for ASA 8.3 and newer.

    •The access-list is always checked before NAT translation.

    If the ACL is checked first, does the dest IP not have to be the NAT´d IP then?
    Cause the ASA looks at the packet and compares it to the ACL. In the packet we still have the NAT´d IP and therefore we would need to specify the NAT´d I

    ... Continue reading in our forum

  5. Thanks a lot for your help Laz!!

28 more replies! Ask a question or join the discussion by visiting our Community Forum