SLA Monitor ASA/PIX 7.2

Answered Question
Apr 19th, 2007
User Badges:

I have put in place SLA monitor on 2 firewalls.


Each Firewall are independant, there is on both 1 server placed into a dedicated DMZ.


They communicate by VPN on Internet, so there is static(dmz,outside), access-list configure beetween DMZ and Internet.


When Internet connexion is no more available, SLA switch routing to inside interface (on both firewalls) and connexions are Re-established ....


That works perfectly .. but my question is HOW that can works ?? there no static (inside,dmz) configuration, servers are not allowed to iniate connexion to inside interface...


is there any answer to that? perhaps SLA monitor add implicit rules or configuration on firewall.


Thanks




Correct Answer by Farrukh Haroon about 9 years 11 months ago

no i don't think there are any implicit rules


maybe an ACL is there that is permitting traffic to the inside, static commands are no longer required (no nat-control is the default).


Hope this helps



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Farrukh Haroon Thu, 04/19/2007 - 08:35
User Badges:
  • Red, 2250 points or more

no i don't think there are any implicit rules


maybe an ACL is there that is permitting traffic to the inside, static commands are no longer required (no nat-control is the default).


Hope this helps



axelair66 Fri, 04/20/2007 - 01:01
User Badges:

Yep !! you're right.


FYI, i just test without nat-control [ asa(config)#no nat-control ] and with [ static(inside,dmz) server_ip_dmz server_ip_dmz ].


SLA monitor doesn't working


"no nat-control" is required for this kind of architecture.


Do you know other NEW parameters like this one ? or there any document on cisco web-site ?


many thanks for your help!!

Farrukh Haroon Fri, 04/20/2007 - 05:27
User Badges:
  • Red, 2250 points or more

This is an excellent resource:


Guide for Cisco PIX 6.2 and 6.3 Users Upgrading to Cisco PIX Software Version 7.0


http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_70/pix_upgd/index.htm


It mentions a lot of changes from 6.x to 7.x


Also I don't think no nat-control is a requirement for SLA, have a look at:


http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml


Hope this helps

Actions

This Discussion