We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is Why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You've Ever Spent on Your Cisco Career!
  • Full Access to our 605 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)


361 New Members signed up the last 30 days!


100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Tags: ,

Forum Replies

  1. Hi Rene,

    I dont know exactly what topic to place this question in thats why i am placing it here
    i got an opportunity for 3 days to work under a CCIE who was very rude and did not bother to ask him any questions as i knew he was not interested in explaining

    i was able to understand all bits till core SW through knowledge of your tutorials on VLAN and routing ,However cannot understand few bits in design at this point

    They got a public IP block from ISP lets say 30 host count

    Now the way the IP are assigned is as - => ISP router LAN interface connecting to my ASA
    - => Outside interface of my ASA

    Then there is CORE-SW- with different and server VLAN and few servers connected to server-vlan and require public access to them (web and email)[no-dmz].

    For the purpose hiding internal IP-scheme NAT is configured at ASA pointing to server as follows ===NAT===>> …

    So after all this lines my Question WHICH INTERFACE THIS IP - - is assigned ,Where does this IP reside

    -Do this IP remain in company network

    please explain -As i know no one can expalain better than you in simple way


    Thanks in ADVANCE

  2. So, after wiping out my ASA 5505 configuration and starting over, with the same nat rules as above, and also playing with ACLs like this:

    access-list dmz-out extended deny ip object dmz object inside
    access-list dmz-out extended permit ip object dmz any4

    I’ve come to some conclusions.

    1. the deny line above was used to prevent the dmz traffic to inside (worked)
    2. that nat, xlate were there.
    3. that icmp is not allowed out from dmz
    4. that ssh, and other protocols are allowed out without any ACL, just based on nat.
     174: 15:28:50.809345       802.1Q vlan#4 P0 > F 731092586:731092586(0) ack 902071277 win 32832 <nop,nop,timestamp 3218242 3220456>
     175: 15:28:50.819888       802.1Q vlan#4 P0 > . ack 731092586 win 32780 <nop,nop,timestamp 3220468 3218241>
     176: 15:28:50.819919       802.1Q vlan#4 P0 > F 902071277:902071277(0) ack 731092586 win 32832 <nop,nop,timestamp 3220471 3218241>
     177: 15:28:50.822009       802.1Q vlan#4 P0 > F 731092586:731092586(0) ack 902071278 win 32831 <nop,nop,timestamp 3218258 3220471>
     178: 15:28:50.823535       802.1Q vlan#4 P0 > . ack 731092587 win 32831 <nop,nop,timestamp 3220480 3218258>
     179: 15:28:59.991739       802.1Q vlan#4 P0 > S 3651934508:3651934508(0) win 65535 <mss 1460,nop,wscale 1,nop,nop,timestamp 3227424 0,sackOK,eol>
     180: 15:28:59.993524       802.1Q vlan#4 P0 > S 2606032245:2606032245(0) ack 3651934509 win 65535 <mss 1380,nop,wscale 1,nop,nop,timestamp 3229649 3227424,sackOK,eol>
     181: 15:28:59.996255       802.1Q vlan#4 P0 > . ack 2606032246 win 32832 <nop,nop,timestamp 3227428 3229649>

    So, in conclusion, it all works just fine. Its likely a limitation or “security feature” of the 5505, but not because of the security-level on the dmz interface (security-level 50).

  3. Hi Rene,

    I am still not clear with the ASA order of operation. I think its different before 8.3 and after 8.3 IOS. Can some one help me in understanding it? .

    Nat rule–> access rule —> route look up –
    access rule —> nat rule —> route lookup

  4. Hello Ajith

    The order of operation depends on if the NAT involved is source NAT or destination NAT. Specifically:

    For ASA versions before AND after 8.3 with SOURCE NAT, the order of operation does NOT change. That is:

    1 Routing, 2 Inbound ACL, 3 NAT

    For ASA versions BEFORE 8.3 and DESTINATION NAT, the order of operation is as follows:

    1 ACL 2 Destination NAT 3 Routing

    For ASA versions AFTER 8.3 and DESTINATION NAT, the order of operation is as follows:

    1 Destination NAT/Partial routing* 2 ACL

    *Partial routing refers to the determination of the exit interface based on the NAT rule.

    I hope this has been helpful!


  5. thanks its clear now

7 more replies! Ask a question or join the discussion by visiting our Community Forum