Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
375
Views
5
Helpful
6
Replies

NAT,ACCESS RULES N TRAFFIC INSPECTION

Go to solution
Antonio Simoes
Level 1
Level 1

‎09-09-2013 11:30 AM - edited ‎03-11-2019 07:35 PM

Hi,

Can anyone awnser this questions?

  1. What I have to do to:
      1. Allow only traffic http/https from the inside to dmz
      2. Allow only traffic http/https from the dmz to inside

    1. How can I simulate inspected retrurning traffic in packet tracer?  Otherwise I never know if it will be allowed to return.

    Kind regards,

    AS

    Labels:
    0 Helpful
    1 Accepted Solution

    Accepted Solutions

    Go to solution
    Julio Carvajal
    VIP Alumni
    VIP Alumni

    ‎09-09-2013 11:40 AM

    Hello Antonio,

    For this particular traffic (HTTP, HTTPS) there will be only one session or data channel so with a regular packet-tracer you will be able to determine whether the returning traffic will be allowed or not.

    An example would be with ICMP (without the stateful inspection you will see a drop on the packet-tracer.. It points to an ACL issue I think).

    What I will provide you is a really useful command that not all of the people is aware of:

    show service-policy flow tcp host x.x.x.x host x.x.x.x eq 80

    You will be seeing if a policy inspection or parameter is matched

    For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com

    Any question contact me at jcarvaja@laguiadelnetworking.com

    Cheers,

    Julio Carvajal Segura

    Julio Carvajal
    Senior Network Security and Core Specialist
    CCIE #42930, 2xCCNP, JNCIP-SEC

    View solution in original post

    0 Helpful
    6 Replies 6

    Go to solution
    Julio Carvajal
    VIP Alumni
    VIP Alumni

    ‎09-09-2013 11:40 AM

    Hello Antonio,

    For this particular traffic (HTTP, HTTPS) there will be only one session or data channel so with a regular packet-tracer you will be able to determine whether the returning traffic will be allowed or not.

    An example would be with ICMP (without the stateful inspection you will see a drop on the packet-tracer.. It points to an ACL issue I think).

    What I will provide you is a really useful command that not all of the people is aware of:

    show service-policy flow tcp host x.x.x.x host x.x.x.x eq 80

    You will be seeing if a policy inspection or parameter is matched

    For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com

    Any question contact me at jcarvaja@laguiadelnetworking.com

    Cheers,

    Julio Carvajal Segura

    Julio Carvajal
    Senior Network Security and Core Specialist
    CCIE #42930, 2xCCNP, JNCIP-SEC
    0 Helpful

    Go to solution
    Antonio Simoes
    Level 1
    Level 1
    In response to Julio Carvajal

    ‎09-09-2013 03:37 PM

    Hi J,

    I´m confuse about one situation. In on of my branch companies, I have conected to my ASA inside port a ISR 2911/K9, doing router on the stick to my vlan´s. But now I have do conect a service on the main office. So I will do a Site-to-Site VPN on the ASA. But the local network is on of my vlans.

    So what will happen, I do the VPN and the ASA Route the traffic to the ISR and vice versa?

    Kind Regards,

    AS

    0 Helpful

    Go to solution
    Julio Carvajal
    VIP Alumni
    VIP Alumni
    In response to Antonio Simoes

    ‎09-09-2013 03:43 PM

    Hello Antonio,

    Exactly, You build the VPN between the ASA and the other site and the ASA routes and encrypts the traffic properly

    For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com

    Any question contact me at jcarvaja@laguiadelnetworking.com

    Cheers,

    Julio Carvajal Segura

    Julio Carvajal
    Senior Network Security and Core Specialist
    CCIE #42930, 2xCCNP, JNCIP-SEC

    Go to solution
    Antonio Simoes
    Level 1
    Level 1
    In response to Julio Carvajal

    ‎09-09-2013 03:49 PM

    Hi J

    Ok. Two days from now I will test it.

    Take care man.

    AS

    0 Helpful

    Go to solution
    Julio Carvajal
    VIP Alumni
    VIP Alumni
    In response to Antonio Simoes

    ‎09-09-2013 03:52 PM

    Hello Antonio,

    Sure, keep me posted!

    For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com

    Any question contact me at jcarvaja@laguiadelnetworking.com

    Cheers,

    Julio Carvajal Segura

    Julio Carvajal
    Senior Network Security and Core Specialist
    CCIE #42930, 2xCCNP, JNCIP-SEC
    0 Helpful

    Go to solution
    Antonio Simoes
    Level 1
    Level 1
    In response to Antonio Simoes

    ‎09-09-2013 03:56 PM

    Sure

    0 Helpful
    Customers Also Viewed These Support Documents
    Review Cisco Networking products for a $25 gift card