Task 2.4,5,6


I have a few questions about these requirement 

firstly R7 acting as ZPF between vlan17 - 76 

and we have the following traffics :

1- the management WSA traffic (src =  dest = WSA M1 IP) 

    Inspect action is applied (VLAN17 -> 76 ) so no worry about reverse direction

2- R1 Redirected http traffic (src =  dest = any eq 80)

    Inspect action is applied  (VLAN17 -> 76 )  ** my point here is when WSA P1 interface put that traffic back and spoof users SRC ip so         it will have the same (src ,dst) but this time the flow (VLAN76 -> 17) MY question is how the firewall will allow that and there is a state 

    entry from the first inspect and it now expect (src,dst) to be exchanged but it receive it the same ,,  is it going to drop such tarffic as           ASA may do in such case ?? and it more considerable to just PASS them from (17 to 79) ? and then inspect from (79 to 17 normally for the reply back from SW1 to testPC add spoofed by WSA)


another question regarding DNS traffic , the WSA P1 , M1 are both configured as proxy ports when WSA make dns query which port will source that from ? the solution opened hole for M1 only on ASA1 outside interface , why not P1 ???




  • Hi,

      CBAC/ZBPF on the IOS routers oe the ASA do not perform uRPF by default. So R1 receives traffic from PC-A destined to SW1 inbound on its Gi0/1, it will send it to the WSA per the WCCP configuration; WSA will initiate traffic spoofed from PC-A destined to SW1, for which R7 is configured with the inbound ACL to allow traffic; as SW1 replies, R1 is configured to redirect again via WCCP the reply to WSA. So i don't see where the problem is.

      By default control-plane traffic like NTP/DNS is using the M port, the P ports are by default used only for proxy functions.



Sign In or Register to comment.