Q. This is for dst nat. how about the traffic flow of src natting traffic flow?
A. Source address NAT is the 6th stage in the packet flow - just prior to the IPS redirection.
Q: Differentiate NAT translate & NAT ip hdr, which separated by acl & inspection.
A. The first NAT stage translates the destination IP address of the packet and determines the egress interface of the packet. The second NAT stage is for translating the source IP address.
Q: What is the option for packet trace in FWSM?
A. That's a great question but unfortunately FWSMs do not support packet-tracer. We depend on the other tools (such as captures, and syslogs) to troubleshoot network problems.
Q: The order in which the packet will flow to the nat and I very confused with the new nat order.
A. That is completely understandable if you are new to this version of ASAs. Here are some documents that might help you understand this better: https://supportforums.cisco.com/docs/DOC-12690. There are some useful videos at the end of this doc.
Q: Is this capture command cpu intensive?
A. The capture command has very little overhead on the CPU. It is important though to ensure that you are as specific as possible when working with packet captures.
Q: What is the command to take backup via cli so that all keys will backed up?
A. The CLI command to backup certificates using CLI is "crypto ca export <trustpoint_name> pkcs12 <secret_key>".
If you are talking specifically about the AAA/VPN keys, you should use the command "more system:running-config".
Q: Can we execute Packet tracer command in FWSM firewall?
A. FWSMs do not support packet-tracer. You can use other tools like syslogs and captures.
Q: As the ASA an stateful so there is no need of opening ports in bir-direction . for ex: i have opened a port for a user from src to dst ...my question is when the user try to initiate the traffic from dst does that ACL works for me ?
A. As we discussed, the first stage of packet-processing is does the packet match an existing connection. hence, if the DST is responding to a previous packet from the SRC, then yes, the ASA will allow it without an ACL.
Q: How to look encrypted password in show run of asa?
A. One can not view the un-encrypted passwords of users using CLI. You can though, view the un-encrypted passwords for features like AAA or VPN using the "more system:running-config" and "show run all".
Q: SACK 0k is the only flag that is showin in packet capture?
A. That is actually a TCP option and not the TCP flag. Most of the supported TCP options will be shown in the packet captures.
Q: Please share the document for the packet capture
I am setting up a vpn between 2 asa, but the vpn does not go upIt stops in this state : MM_WAIT_MSG2Through the capture I have seen that the requests start from SideA and arrive at SideB but then do not return.In between there is only one routre that can ...
Radius server configuration for 802.1XServer radius test1Address ipv4 10.1.1.1Key 1234!Server radius test2Address ipv4 10.1.1.2Key 1234!aaa group server radius TEST-grserver name test1server name test2!aaa authentication dot1x default group TEST-graaa aut...
One of the biggest concept in VPN Technologies is NAT Traversal, like NAT Traversal in VOIP deployment with SIP Protocol, the history is always inside the payload to solve the Incompatibility between NAT and IPSEC like the Incompatibility between SIP prot...
Hello I have two asa firewall switches connected in between a server dmz. One of the switches is configured to allow the dmz to access the internet. But I'm having trouble on the second switch because I want the inside host to be able to talk to the dmz b...