06-10-2009 09:35 AM - edited 03-11-2019 08:41 AM
We have a CSS with a configured vip for 4 servers in a cluster.
The admins want to telnet via port 80 to the VIP and reach a server.
They are coming from 192.168.5.x
I have entered thse rules
access-list inside_access_in line 39 extended permit tcp 192.168.5.0 255.255.255.0 host Web-VIP object-group http-https 0x71c87785
access-list inside_access_in line 39 extended permit tcp 192.168.5.0 255.255.255.0 host Web-VIP eq https (hitcnt=0) 0x7cd8bb99
access-list inside_access_in line 39 extended permit tcp 192.168.5.0 255.255.255.0 host Web-VIP eq www (hitcnt=0) 0xfc9707c4
However when i do a packet trace on ASDM with a packet tracer it is being denied by the deny ip any any rule
I am using the inside interface...source 192.168.5.3 as source, actual web vip as dest...source port telnet......dest port http/www
06-10-2009 10:20 AM
Where are Web-VIP host located? DMZ or outside?
Please post your nat configuration.
Guido.
Please rate all the helpful comments.
06-10-2009 10:46 AM
there is no NAT going on for this particular node...all addressing is internal.
However this VIP could be considered to reside on the inside interface
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide