Comments for jklogic.net http://jklogic.net logical reality Thu, 29 Apr 2010 12:15:20 +0000 http://wordpress.org/?v=2.8.4 hourly 1 Comment on Unable to download NAT policy for ACE by David http://jklogic.net/unable-to-download-nat-policy-for-ace/comment-page-1/#comment-3527 David Thu, 29 Apr 2010 12:15:20 +0000 http://jklogic.net/unable-to-download-nat-policy-for-ace/#comment-3527 Thanks for the tip. Fixed my NAT issue 8.2(1)- wish saw this post yesterday Thanks for the tip.
Fixed my NAT issue 8.2(1)- wish saw this post yesterday

]]> Comment on Cisco ASA and ICMP Configurations by Abhishek Paul http://jklogic.net/cisco-asa-and-icmp-configurations/comment-page-2/#comment-3495 Abhishek Paul Tue, 20 Apr 2010 15:32:29 +0000 http://jklogic.net/cisco-asa-and-icmp-configurations/#comment-3495 Hi James I built my internal web application be accessible from the Internet using a Public IP, and it works, I can see the web site from Internet using the Public IP, But I can not use the same public IP to connect to the site from inside. How can I use the public IP even from inside? Same problem for Ping, the ping command works from outside but not from inside. I am using an ASA 5510. Thanks a lot in advance. Abhishek Hi James

I built my internal web application be accessible from the Internet using a Public IP, and it works, I can see the web site from Internet using the Public IP, But I can not use the same public IP to connect to the site from inside. How can I use the public IP even from inside?

Same problem for Ping, the ping command works from outside but not from inside.

I am using an ASA 5510.

Thanks a lot in advance.

Abhishek

]]> Comment on Cisco ASA and ICMP Configurations by Ryan http://jklogic.net/cisco-asa-and-icmp-configurations/comment-page-2/#comment-3251 Ryan Tue, 09 Mar 2010 02:16:37 +0000 http://jklogic.net/cisco-asa-and-icmp-configurations/#comment-3251 Hi James, Thanks for a great post! I'm trying to follow option 3 from your original post. I've got an ASA 5505 ASA Version 8.2(1). I've looked at the global_policy and icmp/icmp error are already defined as inspected traffic types, but traceroute does not work (ping works fine). Here is a snippet from my config. policy-map global_policy class inspection_default inspect dns preset_dns_map dynamic-filter-snoop inspect esmtp inspect ftp inspect h323 h225 inspect h323 ras inspect icmp inspect icmp error inspect netbios inspect pptp inspect rsh inspect rtsp inspect sip inspect skinny inspect sqlnet inspect sunrpc inspect tftp inspect xdmcp Do I still need to enable the ACLs mentioned in option 1 because although ping was working fine, traceroute was not. Was there another step that I am missing. I'm using the ASDM. Thanks. Hi James,

Thanks for a great post! I’m trying to follow option 3 from your original post. I’ve got an ASA 5505 ASA Version 8.2(1). I’ve looked at the global_policy and icmp/icmp error are already defined as inspected traffic types, but traceroute does not work (ping works fine). Here is a snippet from my config.

policy-map global_policy
class inspection_default
inspect dns preset_dns_map dynamic-filter-snoop
inspect esmtp
inspect ftp
inspect h323 h225
inspect h323 ras
inspect icmp
inspect icmp error
inspect netbios
inspect pptp
inspect rsh
inspect rtsp
inspect sip
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect xdmcp

Do I still need to enable the ACLs mentioned in option 1 because although ping was working fine, traceroute was not. Was there another step that I am missing. I’m using the ASDM.

Thanks.

]]> Comment on Cisco ASA and ICMP Configurations by G-man http://jklogic.net/cisco-asa-and-icmp-configurations/comment-page-2/#comment-3206 G-man Thu, 25 Feb 2010 17:32:16 +0000 http://jklogic.net/cisco-asa-and-icmp-configurations/#comment-3206 Hi James, I'm having an issue. I have a Cisco ASA 5510 and I can ping the inside our network and I can ping from outside to in. However I cannot ping from inside to my outside interface. Any suggestions? Hi James,

I’m having an issue. I have a Cisco ASA 5510 and I can ping the inside our network and I can ping from outside to in. However I cannot ping from inside to my outside interface. Any suggestions?

]]> Comment on Cisco ASA and ICMP Configurations by Adam http://jklogic.net/cisco-asa-and-icmp-configurations/comment-page-2/#comment-3205 Adam Thu, 25 Feb 2010 02:25:13 +0000 http://jklogic.net/cisco-asa-and-icmp-configurations/#comment-3205 James, I'm having an issue. local hosts that use our Global Dynamic NAT to reach outside hosts can not run traceroutes (i can see the hops on LAN between host and ASA, but nothing outside of ASA. These same Static NAT hosts can not access remote (outside) TFTP servers. However, a static NAT LAN host can successfully run traceroutes and access TFTP servers. Other services like http, etc are working perfectly fine regardless of the type of NAT used. Any help would be appreciated. James,

I’m having an issue. local hosts that use our Global Dynamic NAT to reach outside hosts can not run traceroutes (i can see the hops on LAN between host and ASA, but nothing outside of ASA. These same Static NAT hosts can not access remote (outside) TFTP servers.

However, a static NAT LAN host can successfully run traceroutes and access TFTP servers.

Other services like http, etc are working perfectly fine regardless of the type of NAT used. Any help would be appreciated.

]]> Comment on Cisco ASA iPhone VPN Config by Kablooie http://jklogic.net/cisco-asa-iphone-vpn-config/comment-page-1/#comment-3134 Kablooie Thu, 11 Feb 2010 19:17:51 +0000 http://jklogic.net/?p=23#comment-3134 I have no problems with a similar conf on my asa5510 except the internal dns lookup does not work. I have no problems with a similar conf on my asa5510 except the internal dns lookup does not work.

]]> Comment on Cisco ASA and ICMP Configurations by Charlie http://jklogic.net/cisco-asa-and-icmp-configurations/comment-page-2/#comment-3131 Charlie Tue, 09 Feb 2010 02:33:22 +0000 http://jklogic.net/cisco-asa-and-icmp-configurations/#comment-3131 Thanks James. Thanks James.

]]> Comment on Unable to download NAT policy for ACE by DC http://jklogic.net/unable-to-download-nat-policy-for-ace/comment-page-1/#comment-3122 DC Fri, 05 Feb 2010 21:06:12 +0000 http://jklogic.net/unable-to-download-nat-policy-for-ace/#comment-3122 Confirmed, happens to me on 8.2(1) as well. Thanks for this great tip, really saves a lot of trouble (and some downtime) by not having to do a reload. Confirmed, happens to me on 8.2(1) as well.

Thanks for this great tip, really saves a lot of trouble (and some downtime) by not having to do a reload.

]]> Comment on Cisco ASA and ICMP Configurations by James http://jklogic.net/cisco-asa-and-icmp-configurations/comment-page-2/#comment-3119 James Thu, 04 Feb 2010 18:54:12 +0000 http://jklogic.net/cisco-asa-and-icmp-configurations/#comment-3119 Charlie, This is the normal operation for the ASA. You will not be able to ping the DMZ or Outside interface from and inside host. Charlie,

This is the normal operation for the ASA. You will not be able to ping the DMZ or Outside interface from and inside host.

]]> Comment on Cisco ASA iPhone VPN Config by Magnus http://jklogic.net/cisco-asa-iphone-vpn-config/comment-page-1/#comment-3111 Magnus Sat, 30 Jan 2010 22:15:33 +0000 http://jklogic.net/?p=23#comment-3111 Nope didn't work, but a nice initiative. Nope didn’t work, but a nice initiative.

]]>