We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You've Ever Spent on Your Cisco Career!
  • Full Access to our 647 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)

498 Sign Ups in the last 30 days

satisfaction-guaranteed
100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Tags:


Forum Replies

  1. Hi Rene

    As far as I know, by default, ASA will block all traffics from lower into higher area.
    In this example, I can’t ping from R1 to 192.168.2.2 and 192.168.3.3 but I can telnet to them.
    Why is it?

    If we dont create the access-list something like below:

    access-list inside-in extended permit ip any any
    access-list outside-in extended permit ip any any
    access-list dmz-in extended permit ip any any
    
    access-group inside-in in interface INSIDE
    access-group outside-in in interface OUTSIDE
    access-group dmz-in in interface DMZ
    

    I cant ping to them!

    Thank you!

  2. Hlw Rene,

    I am little bit confused about the two command when using NAT:

    nat(inside, outside)

    nat(outside,inside)

    Appreciate your nice clarification as always :slight_smile:

    br/
    zaman

  3. Hi Zaman,

    Here’s how it works:

    ASA1(config)# object network SERVER
    ASA1(config-network-object)# host 192.168.1.1
    ASA1(config-network-object)# nat (INSIDE,OUTSIDE) static 192.168.2.200
    

    This basically does two things:

    • When a packet enters the INSIDE and exits the OUTSIDE, and the source IP address is 192.168.1.1 then we translate the source address to 192.168.2.200.
    • When a packet enters the OUTSIDE and exits the INSIDE, and the destination IP address is 192.168.2.200 then we translate the destination address to 192.168.1.1.

    We use this so a server on the INS

    ... Continue reading in our forum

  4. by default FW allow from Inside to DMZ, so that means I am from Inside network and I can RDP to my windows server in DMZ. it can be bad in some cases,
    and if I want to block RDP from Inside to DMZ I will need to configure and access list?

    Thank you

  5. Thanx again Laz!
    I will try this again tomorrow on Devnet rather than GNS3.
    Kind Regards
    Frank

30 more replies! Ask a question or join the discussion by visiting our Community Forum