cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
503
Views
5
Helpful
6
Replies

NAT,ACCESS RULES N TRAFFIC INSPECTION

Antonio Simoes
Level 1
Level 1

Hi,

Can anyone awnser this questions?

  1. What I have to do to:
      1. Allow only traffic http/https from the inside to dmz
      2. Allow only traffic http/https from the dmz to inside

    1. How can I simulate inspected retrurning traffic in packet tracer?  Otherwise I never know if it will be allowed to return.

    Kind regards,

    AS

    1 Accepted Solution

    Accepted Solutions

    Julio Carvajal
    VIP Alumni
    VIP Alumni

    Hello Antonio,

    For this particular traffic (HTTP, HTTPS) there will be only one session or data channel so with a regular packet-tracer you will be able to determine whether the returning traffic will be allowed or not.

    An example would be with ICMP (without the stateful inspection you will see a drop on the packet-tracer.. It points to an ACL issue I think).

    What I will provide you is a really useful command that not all of the people is aware of:

    show service-policy flow tcp host x.x.x.x host x.x.x.x eq 80

    You will be seeing if a policy inspection or parameter is matched

    For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com

    Any question contact me at jcarvaja@laguiadelnetworking.com

    Cheers,

    Julio Carvajal Segura

    Julio Carvajal
    Senior Network Security and Core Specialist
    CCIE #42930, 2xCCNP, JNCIP-SEC

    View solution in original post

    6 Replies 6

    Julio Carvajal
    VIP Alumni
    VIP Alumni

    Hello Antonio,

    For this particular traffic (HTTP, HTTPS) there will be only one session or data channel so with a regular packet-tracer you will be able to determine whether the returning traffic will be allowed or not.

    An example would be with ICMP (without the stateful inspection you will see a drop on the packet-tracer.. It points to an ACL issue I think).

    What I will provide you is a really useful command that not all of the people is aware of:

    show service-policy flow tcp host x.x.x.x host x.x.x.x eq 80

    You will be seeing if a policy inspection or parameter is matched

    For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com

    Any question contact me at jcarvaja@laguiadelnetworking.com

    Cheers,

    Julio Carvajal Segura

    Julio Carvajal
    Senior Network Security and Core Specialist
    CCIE #42930, 2xCCNP, JNCIP-SEC

    Hi J,

    I´m confuse about one situation. In on of my branch companies, I have conected to my ASA inside port a ISR 2911/K9, doing router on the stick to my vlan´s. But now I have do conect a service on the main office. So I will do a Site-to-Site VPN on the ASA. But the local network is on of my vlans.

    So what will happen, I do the VPN and the ASA Route the traffic to the ISR and vice versa?

    Kind Regards,

    AS

    Hello Antonio,

    Exactly, You build the VPN between the ASA and the other site and the ASA routes and encrypts the traffic properly

    For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com

    Any question contact me at jcarvaja@laguiadelnetworking.com

    Cheers,

    Julio Carvajal Segura

    Julio Carvajal
    Senior Network Security and Core Specialist
    CCIE #42930, 2xCCNP, JNCIP-SEC

    Hi J

    Ok. Two days from now I will test it.

    Take care man.

    AS

    Hello Antonio,

    Sure, keep me posted!

    For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com

    Any question contact me at jcarvaja@laguiadelnetworking.com

    Cheers,

    Julio Carvajal Segura

    Julio Carvajal
    Senior Network Security and Core Specialist
    CCIE #42930, 2xCCNP, JNCIP-SEC

    Sure

    Review Cisco Networking for a $25 gift card