Yorel

Technical Experts
  • Content count

    428
  • Joined

  • Last visited

  • Days Won

    6

Yorel last won the day on July 3 2012

Yorel had the most liked content!

Community Reputation

4 Neutral

About Yorel

  • Rank
    PIX/ASA/FWSM
  • Birthday 07/14/77

Profile Information

  • Gender
    Male
  • Location
    Madrid
  1. Hello The answer is yes, the packet will arrive to Production interface because the destination packet is in that network. The source of the packet, when reaches the final equipment, will be either 192.168.3.x or 172.20.x.x. Regards
  2. Congrats Lethe!!!! I could guarantee you the moment you carry your baby in your arms for the first time will be absolutely amazing Cheers!!!
  3. Try packet-tracer input in order to simulate a packet from the LAN to internet, so you will know if ASA is droping the connection or not. See this link: http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080734db7.shtml
  4. Hello The only traffic you allow from the LAN to outside is ping to outside interface, because of it the users cannot access internet. By the other hand, asa drops any icmp that go through itself. PCs only can do ping to inside interface, neither osutide nor dmz or other interface. Finally, you will need to do nat on asa if the router doesnt. Regards
  5. Hello! Yes, the command nat (inside) 0 ... is used for traffic you don't want to do nat. It's commonly used for VPN traffic and you don't need a global statment. The nat (inside) 1 command will do nat to the traffic and must match with a global command with the same id (global (outside) 1 interface). The name ouside_access_in is just a name to identify an access-list. When you create access-lists via ASDM, the appliance assigns this name automatically. In order to take effect in the interface you have to configure an access-group command on it. And you're right, that traffic refers to the packets from the outside to your network. Regards!
  6. Hello Nokia appliances are differents to CheckPoint machines. On Nokia you use IPSO as OS and, after you install the CheckPoint packager (R75 or whatever). On Nokia you have VRRP in order to configure the cluster, to access to IPSO section you must use the clish command and you can enter commands like 'show interfaces all', 'show asset hardware'. Summarizing, Nokia appliances have IPSO instead SPLAT, and Voyager is the WebUI to configure many options of the appliances. Regards!
  7. Maybe firewall of Windows is blocking the ping?, all looks like well...
  8. Hello: Go to SmartDashboard and double-click on the firewall, Log and Masters->Log Servers. There you configure the Log Server that usually is your Security Management Server. Moreover, is highly recommended you configure a switchover of the logs everyday in Log and Masters section, 'Schedule log switch to' option. Regards!
  9. I think no much people have CCNA Network Visualizer application. I recommend you to do a scheme in .jpg or bmp. From this way many of us could help you. Regards
  10. I think the problem is with TFTP server. On it, go File->Configure and enable the option "Rename existing files on conflict" on General Tab. Regards
  11. I recommend you to check out this useful document: http://www.cisco.com.../migrating.html By the way, take a look to this, it's possible you have to upgrade your memory before upgrading: http://www.cisco.com...4.html#wp321918 Regards
  12. The document is OK, the reason is why the inside server has nat in order to the DMZ servers don't know its real IP address. The inside server (172.20.1.5) will be the IP 192.168.2.20. "This mapped address is an address that DMZ hosts can use to access the server on the inside without the need to know the real address of the server. This command maps the DMZ address 192.168.2.20 to the real inside address 172.20.1.5". Regards
  13. Hello: Most important on this type of configuration is the ID of nat y global, that's the way the appliance could link them. Take a look to nat with ID 5: nat (inside) 5 172.16.0.5 255.255.255.255 Global (outside) 5 99.186.148.9 It means when the IP 172.16.0.5 starts traffic and that packet exits for the outside interface, the appliance will perform a source NAT to 99.186.148.9 The second NAT: nat (inside) 10 172.16.0.0 255.255.255.0 nat (inside) 10 172.17.0.0 255.255.255.0 Global (outside) 10 intreface It means all packets coming from that two networks with destination outside interface, the appliance will do a source NAT to outside's appliance interface. The statement left: nat (inside) 0 access-list no-nat_inside When you configure a nat 0 command means no nat will be done to that traffic. In this case to the traffic that belongs to the access-list called no-nat_inside. It's commonly used for VPN traffic. In summary, you need an number on nat command that will link with the global command with the same number (ID). You might configure several nat commands with the same number or a nat command with several global with the same number. Regards!
  14. Hi! RPF-check means the appliance hasn't a route back for a specified host/network. As I can see in your configuration, I think you made a mistake with your defautl gateway, the appliance cannot reach it because that IP is not inside from the outside range. Outside interface: 210.210.210.1/24 Default Gateway: 200.200.200.2 I think that's the problem... Regards!
  15. Hi: I also recommend you to use SSH instead of telnet because it's a very insecure protocol cause the password "travels" in plain text in the network. Remember you have to create a RSA key pair in order to use SSH, the command is: #crypto key generate rsa modulus modulus_size (1024 is a good size) After you have to enable the IP's are allowed to do SSH to the appliance: # ssh IP_address mask interface Regards!