SLA Monitor ASA/PIX 7.2

Answered Question
Apr 19th, 2007

I have put in place SLA monitor on 2 firewalls.

Each Firewall are independant, there is on both 1 server placed into a dedicated DMZ.

They communicate by VPN on Internet, so there is static(dmz,outside), access-list configure beetween DMZ and Internet.

When Internet connexion is no more available, SLA switch routing to inside interface (on both firewalls) and connexions are Re-established ....

That works perfectly .. but my question is HOW that can works ?? there no static (inside,dmz) configuration, servers are not allowed to iniate connexion to inside interface...

is there any answer to that? perhaps SLA monitor add implicit rules or configuration on firewall.

Thanks

I have this problem too.
0 votes
Correct Answer by Farrukh Haroon about 9 years 7 months ago

no i don't think there are any implicit rules

maybe an ACL is there that is permitting traffic to the inside, static commands are no longer required (no nat-control is the default).

Hope this helps

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Farrukh Haroon Thu, 04/19/2007 - 08:35

no i don't think there are any implicit rules

maybe an ACL is there that is permitting traffic to the inside, static commands are no longer required (no nat-control is the default).

Hope this helps

axelair66 Fri, 04/20/2007 - 01:01

Yep !! you're right.

FYI, i just test without nat-control [ asa(config)#no nat-control ] and with [ static(inside,dmz) server_ip_dmz server_ip_dmz ].

SLA monitor doesn't working

"no nat-control" is required for this kind of architecture.

Do you know other NEW parameters like this one ? or there any document on cisco web-site ?

many thanks for your help!!

Farrukh Haroon Fri, 04/20/2007 - 05:27

This is an excellent resource:

Guide for Cisco PIX 6.2 and 6.3 Users Upgrading to Cisco PIX Software Version 7.0

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_70/pix_upgd/index.htm

It mentions a lot of changes from 6.x to 7.x

Also I don't think no nat-control is a requirement for SLA, have a look at:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

Hope this helps

Actions

This Discussion