Monday, September 28, 2015

Cisco ASA Redundant Interfaces Lab with verification and testing

The ASA interface or the switch port that connected to the asa interface might fail, causing the ASA interface to go down, too. To keep an ASA interface to be up and active all the time, you should configure physical interfaces as redundant pairs. Only one of the interfaces is active at any given time; the other interface remains in a standby state. The first physical interface added to a logical redundant interface will become the active interface.


ciscoasa(config)# int redundant 1
ciscoasa(config-if)# member-interface gigabitEthernet 0/2
ERROR: member interface must not have nameif configure.
ciscoasa(config)# int gi0/2
ciscoasa(config-if)# no nameif outside
ciscoasa(config-if)# no ip address
ciscoasa(config-if)# no security-level 0
ciscoasa(config-if)# member-interface gigabitEthernet 0/2
INFO: security-level, IP address and cts manual are cleared on GigabitEthernet0/2.
ciscoasa(config-if)# member-interface gigabitEthernet 0/3
INFO: security-level, IP address and cts manual are cleared on GigabitEthernet0/3.
ciscoasa(config-if)# no shu
ciscoasa(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.
ciscoasa(config-if)# ip address 192.168.1.254 255.255.255.0
ciscoasa# ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
No route to host 8.8.8.8
ciscoasa(config)# route outside 0.0.0.0 0.0.0.0 192.168.1.1
ciscoasa(config)# ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 100/100/100 ms

Previous access-lists and nat rules which  are linked to the outside interface are cleared when we create redundant link. Pc 192.168.0.10 can not ping to 8.8.8.8
ciscoasa(config)# nat (inside,outside) source dynamic any interface
Now pc 192.168.0.10 can ping to 8.8.8.8

ciscoasa(config)# sh int redundant 1
Interface Redundant1 "outside", is up, line protocol is up
  Hardware is i82540EM rev03, BW 1000 Mbps, DLY 10 usec
        Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)
        ….
  Redundancy Information:
        Member GigabitEthernet0/2(Active), GigabitEthernet0/3
        Last switchover at 10:57:29 GMT Sep 20 2019

If you shutdoqn int gig0/2, and issue the command again
ciscoasa(config-if)# sh int redundant 1
Interface Redundant1 "outside", is up, line protocol is up
  Hardware is i82540EM rev03, BW 1000 Mbps, DLY 10 usec
        Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)
        …..
  Redundancy Information:
        Member GigabitEthernet0/3(Active), GigabitEthernet0/2
        Last switchover at 11:19:51 GMT Sep 20 2019

If gig0/2 get back to the network, gig0/3 will remains active.

Posted by at No comments:
Labels:

Saturday, September 26, 2015

Cisco ASA Active/Standby Failover LAB

In this article will demonstrate on how to configure Active Standby failover on cisco ASA 5520 ASA firewall and how to verify and troubleshoot configuration step by step. This article is useful if you understand the theoretical part of the failover.

ASA1 Primary Configuration
ciscoasa(config)# int e2
ciscoasa(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
ciscoasa(config-if)# no shu
ciscoasa(config-if)# ip address 192.168.0.254 255.255.255.0 standby 192.168.0.253
ciscoasa(config-if)# int e3
ciscoasa(config-if)# nameif dmz
INFO: Security level for "dmz" set to 0 by default.
ciscoasa(config-if)# security-level 50
ciscoasa(config-if)# no shu
ciscoasa(config-if)# ip address 192.168.2.254 255.255.255.0 standby 192.168.2.253
ciscoasa(config-if)# no shu
ciscoasa(config-if)# in e4
ciscoasa(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.
ciscoasa(config-if)# no shu
ciscoasa(config-if)# ip address 192.168.1.254 255.255.255.0 standby 192.168.1.253
ciscoasa(config)# int e0               ! failover lan interface for configuration replication
ciscoasa(config-if)# no sh
ciscoasa(config-if)# int e1        ! stateful link interface for stateful information replication
ciscoasa(config-if)# no sh
ciscoasa(config)# failover lan interface fail-1 e0
ciscoasa(config)# failover interface ip fail-1 10.10.10.1 255.255.255.252 standby 10.10.10.2
ciscoasa(config)# failover link fail-1 e0   
Note that it’s recommended to use another interface for stateful replication, but here we use the same interface for config replication and stateful replication.
ciscoasa(config)# failover interface ip fail-1 10.10.10.1 255.255.255.252 standby 10.10.10.2
ciscoasa(config)# failover replication http
ciscoasa(config)# failover lan unit primary
ciscoasa(config)# failover key cisco
ciscoasa(config)# prompt hostname priority state
ciscoasa/pri/actNoFailover(config)# failover
ciscoasa/pri/act(config)# show failover
Failover On
Failover unit Primary
Failover LAN Interface: fail-1 Ethernet0 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 3 of 60 maximum
failover replication http
Version: Ours 9.1(5)16, Mate Unknown
Last Failover at: 14:44:50 UTC Sep 21 2019
        This host: Primary - Negotiation
                Active time: 0 (sec)
                  Interface inside (192.168.0.254): No Link (Waiting)
                  Interface dmz (192.168.2.254): No Link (Waiting)
                  Interface outside (192.168.1.254): No Link (Waiting)
        Other host: Secondary - Not Detected
                Active time: 0 (sec)
                  Interface inside (192.168.0.253): Unknown (Waiting)
                  Interface dmz (192.168.2.253): Unknown (Waiting)
                  Interface outside (192.168.1.253): Unknown (Waiting)

Stateful Failover Logical Update Statistics
        ……….
                 No Active mate detected

ciscoasa/pri/act(config)# sh failover state

               State          Last Failure Reason      Date/Time
This host  -   Primary
               Active         None
Other host -   Secondary
               Failed         Comm Failure             15:02:31 UTC Sep 21 2019

ciscoasa/pri/act(config)# sh ip
System IP Addresses:
Interface                Name                   IP address      Subnet mask     Method
Ethernet0                fail-1                 10.10.10.1      255.255.255.252 unset
Ethernet2                inside                 192.168.0.254   255.255.255.0   manual
Ethernet3                dmz                    192.168.2.254   255.255.255.0   manual
Ethernet4                outside                192.168.1.254   255.255.255.0   manual
Current IP Addresses:
Interface                Name                   IP address      Subnet mask     Method
Ethernet0                fail-1                 10.10.10.1      255.255.255.252 unset
Ethernet2                inside                 192.168.0.254   255.255.255.0   manual
Ethernet3                dmz                    192.168.2.254   255.255.255.0   manual
Ethernet4                outside                192.168.1.254   255.255.255.0   manual


ASA 2 –Secondary ASA Firewall Configuration
ciscoasa(config)# failover interface ip fail-1 10.10.10.1 255.255.255.252 standby 10.10.10.2
ciscoasa(config)# failover key cisco
ciscoasa(config)# failover lan unit secondary
ciscoasa(config)# failover

        Detected an Active mate
Beginning configuration replication from mate.
ERROR: Password recovery was not changed, unable to access
the configuration register.
Crashinfo is NOT enabled on Full Distribution Environment
End configuration replication from mate.

ciscoasa/sec/stby(config)#
ciscoasa/sec/stby(config)# show ip
System IP Addresses:
Interface                Name                   IP address      Subnet mask              Method
Ethernet0                fail-1                 10.10.10.1      255.255.255.252          unset
Ethernet2                inside                 192.168.0.254   255.255.255.0            CONFIG
Ethernet3                dmz                    192.168.2.254   255.255.255.0            CONFIG
Ethernet4                outside                192.168.1.254   255.255.255.0            CONFIG
Current IP Addresses:
Interface                Name                   IP address      Subnet mask              Method
Ethernet0                fail-1                 10.10.10.2      255.255.255.252          unset
Ethernet2                inside                 192.168.0.253   255.255.255.0            CONFIG
Ethernet3                dmz                    192.168.2.253   255.255.255.0            CONFIG
Ethernet4                outside                192.168.1.253   255.255.255.0            CONFIG

ciscoasa/pri/act# sh failover
Failover On
Failover unit Primary
Failover LAN Interface: fail-1 Ethernet0 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 3 of 60 maximum
failover replication http
Version: Ours 9.1(5)16, Mate 9.1(5)16
Last Failover at: 17:01:41 UTC Sep 21 2019
        This host: Primary - Active
                Active time: 98 (sec)
                  Interface inside (192.168.0.254): Normal (Monitored)
                  Interface dmz (192.168.2.254): Unknown (Waiting)
                  Interface outside (192.168.1.254): Unknown (Waiting)
        Other host: Secondary - Standby Ready
                Active time: 0 (sec)
                  Interface inside (192.168.0.253): Normal (Monitored)
                  Interface dmz (192.168.2.253): Unknown (Waiting)
                  Interface outside (192.168.1.253): Unknown (Waiting)       
ciscoasa/sec/stby# show failover
Failover On
Failover unit Secondary
Failover LAN Interface: fail-1 Ethernet0 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 3 of 60 maximum
failover replication http
Version: Ours 9.1(5)16, Mate 9.1(5)16
Last Failover at: 17:01:20 UTC Sep 21 2019
        This host: Secondary - Standby Ready
                Active time: 0 (sec)
                  Interface inside (192.168.0.253): Normal (Monitored)
                  Interface dmz (192.168.2.253): Unknown (Waiting)
                  Interface outside (192.168.1.253): Unknown (Waiting)
        Other host: Primary - Active
                Active time: 145 (sec)
                  Interface inside (192.168.0.254): Normal (Monitored)
                  Interface dmz (192.168.2.254): Unknown (Waiting)
                  Interface outside (192.168.1.254): Unknown (Waiting)
Now NATING the inside network to the outside
ciscoasa/pri/act(config)# object network inside-net
ciscoasa/pri/act(config-network-object)# subn
ciscoasa/pri/act(config-network-object)# subnet 192.168.0.0 255.255.255.0
ciscoasa/pri/act(config-network-object)# nat (inside,outside) dynamic interface
ciscoasa/pri/act(config)# policy-map global_policy
ciscoasa/pri/act(config-pmap)#  class inspection_default
ciscoasa/pri/act(config-pmap-c)# inspect icmp
ciscoasa/pri/act(config)# ip route 0.0.0.0 0.0.0.0 192.168.1.1
NOW inside network can reach the internet and he did ping successfully to www.google.com
When cpmare the asa firewalls active and standby now, u will be sure that the stateful information replication happened successfully. See the tcp and udp connections on both of the asa firewalls.
ciscoasa/pri/act# show failover
Failover On
Failover unit Primary
….
Stateful Failover Logical Update Statistics
        Link : fail-2 Ethernet1 (up)
        Stateful Obj    xmit       xerr       rcv        rerr
        General         95         0          33         0
        sys cmd         33         0          33         0
        up time         0          0          0          0
        RPC services    0          0          0          0
        TCP conn        12         0          0          0
        UDP conn        28         0          0          0
        ARP tbl         21         0          0          0
        Xlate_Timeout   0          0          0          0
        IPv6 ND tbl     0          0          0          0
        VPN IKEv1 SA    0          0          0          0
        ……
ciscoasa/sec/stby# show failover
Failover On
Failover unit Secondary
Failover LAN Interface: fail-1 Ethernet0 (up)
…….
        TCP conn        0          0          12         0
        UDP conn        0          0          28         0
        ARP tbl         0          0          21         0
        ……
Now I want to stop the active firewall manually using the command no failover active
ciscoasa/pri/act(config)# no failover active
ciscoasa/pri/act(config)# Waiting for the earlier webvpn instance to terminate...
Previous instance shut down. Starting a new one.
        Switching to Standby
ciscoasa/pri/stby(config)#


Posted by at 1 comment:
Labels:

Friday, September 25, 2015

Cisco ASA Active/Active Failover LAB

In this article will demonstrate on how to configure active/active failover. This article is useful if you understand the concepts and the theoretical part of the active/active failover.


ASA1(config)# sho mode
Security context mode: single
ASA1(config)# mode multiple
WARNING: This command will change the behavior of the device
WARNING: This command will initiate a Reboot
Proceed with change mode? [confirm]
Convert the system configuration? [confirm]
ASA1# show context
Context Name      Class      Interfaces           Mode         URL
*admin            default                         Routed       disk0:/admin.cfg

Total active Security Contexts: 1
ASA1(config)# context ctx-2
ASA1(config-ctx)# allocate-interface e2
ASA1(config-ctx)# allocate-interface e1
ASA1(config-ctx)# config-url ctx2.conf
ASA1(config)# admin-context ctx-2
ASA1(config)# sh context
Context Name      Class      Interfaces           Mode         URL
 admin            default                         Routed       disk0:/admin.cfg
*ctx-2            default    Ethernet1,Ethernet2  Routed       disk0:/ctx2.conf

ASA1(config)# no context admin
WARNING: Removing context 'admin'
Proceed with removing the context? [confirm]
Removing context 'admin' (1)... Done
ASA1(config)# sh context
Context Name      Class      Interfaces           Mode         URL
*ctx-2            default    Ethernet1,Ethernet2  Routed       disk0:/ctx2.conf
ASA1(config)# context ctx-1
ASA1(config-ctx)# allocate-interface e0
ASA1(config-ctx)# allocate-interface e1
ASA1(config-ctx)# config-url ctx1.conf
ASA1(config)# admin-context ctx-1
ASA1(config)# sh context
Context Name      Class      Interfaces           Mode         URL
 ctx-2            default    Ethernet1,Ethernet2  Routed       disk0:/ctx2.conf
*ctx-1            default    Ethernet0,Ethernet1  Routed       disk0:/ctx1.conf

ASA1(config)# changeto context ctx-1
ASA1/ctx-1(config)# int e1
ASA1/ctx-1(config)# no sh
ASA1/ctx-1(config-if)# ip address 192.168.1.5 255.255.255.0 standby 192.168.1.6
ASA1/ctx-1(config-if)# mac-address 0000.0000.0001 standby 0000.0000.0002
ASA1/ctx-1(config-if)# int e0
ASA1/ctx-1(config)# no sh
ASA1/ctx-1(config-if)# ip address 10.1.1.1 255.255.255.0 standby 10.1.1.2

ASA1(config)# failover group 2
ASA1(config-fover-group)# secondary
ASA1(config-fover-group)# preempt 60
ASA1(config)# failover group 1
ASA1(config-fover-group)# primary
ASA1(config-fover-group)# preempt 60
ASA1(config)# context ctx-1
ASA1(config-ctx)# join-failover-group 1
ASA1(config-ctx)# context ctx-2
ASA1(config-ctx)# join-failover-group 2

ASA1/ctx-1(config)# changeto context ctx-2
ASA1/ctx-2(config)# int e2
ASA1/ctx-2(config-if)# no sh
ASA1/ctx-2(config-if)# nameif dmz
ASA1/ctx-2(config-if)# security-level 50
ASA1/ctx-2(config-if)# ip address 10.2.2.1 255.255.255.0 standby 10.2.2.2
ASA1/ctx-2(config-if)# int e1
ASA1/ctx-2(config-if)# nameif outside
ASA1/ctx-2(config-if)# security-level 0
ASA1/ctx-2(config-if)# ip address 192.168.1.7 255.255.255.0 standby 192.168.1.8
ASA1/ctx-2(config-if)# mac-address 0000.0000.0003 standby 0000.0000.0004
ASA1(config)# int e3
ASA1(config-if)# no sh
ASA1(config-if)# int e4
ASA1(config-if)# no sh
ASA1(config)# failover lan interface fail-config e3
ASA1(config)# failover link fail-state e4
ASA1(config)# failover interface ip fail-config 192.168.10.1 255.255.255.0 standby 192.168.10.2
ASA1(config)# failover interface ip fail-state 192.168.20.1 255.255.255.0 standby 192.168.20.2

ASA1/ctx-2(config)# changet system
ASA1(config)# failover lan unit primary
ASA1(config)# failover

ASA1(config)# show failover state

               State          Last Failure Reason      Date/Time
This host  -   Primary
               Negotiation    None
Other host -   Secondary
               Not Detected   None

====Configuration State===
====Communication State===

ASA1(config)# .

        No Active mate detected

        Group 1 No Response from Mate, Switch to Active

        Group 2 No Response from Mate, Switch to Active

ASA1(config)# show failover
Failover On
Failover unit Primary
Failover LAN Interface: fail-config Ethernet3 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 4 of 60 maximum
Version: Ours 9.1(5)16, Mate Unknown
Group 1 last failover at: 08:09:31 UTC Sep 25 2019
Group 2 last failover at: 08:09:31 UTC Sep 25 2019

  This host:    Primary
  Group 1       State:          Active
                Active time:    21 (sec)
  Group 2       State:          Active
                Active time:    21 (sec)

                  ctx-2 Interface dmz (10.2.2.1): Unknown (Waiting)
                  ctx-2 Interface outside (192.168.1.7): Unknown (Waiting)
                  ctx-1 Interface inside (10.1.1.1): Unknown (Waiting)
                  ctx-1 Interface outside (192.168.1.5): Unknown (Waiting)

  Other host:   Secondary
  Group 1       State:          Failed
                Active time:    0 (sec)
  Group 2       State:          Failed
                Active time:    0 (sec)

                  ctx-2 Interface dmz (10.2.2.2): Unknown (Waiting)
                  ctx-2 Interface outside (192.168.1.8): Unknown (Waiting)
                  ctx-1 Interface inside (10.1.1.2): Unknown (Waiting)
                  ctx-1 Interface outside (192.168.1.6): Unknown (Waiting)

ASA1(config)# prompt hostname priority context state

ASA2 Configuration

ciscoasa(config)#int e3
ciscoasa(config)#no sh
ciscoasa(config)#int e4
ciscoasa(config)#no sh
ciscoasa(config)# failover lan unit secondary
ciscoasa(config)# failover lan interface fail-config e3
ciscoasa(config)# failover interface ip fail-config 192.168.10.1 255.255.255.0 standby 192.168.10.2


ASA1/pri/act# Beginning configuration replication: Sending to mate.
End Configuration Replication to mate

ASA1/pri/act# sh failover
Failover On
Failover unit Primary
Failover LAN Interface: fail-config Ethernet3 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 4 of 60 maximum
Version: Ours 9.1(5)16, Mate 9.1(5)16
Group 1 last failover at: 08:09:31 UTC Sep 25 2019
Group 2 last failover at: 08:09:31 UTC Sep 25 2019

  This host:    Primary
  Group 1       State:          Active
                Active time:    922 (sec)
  Group 2       State:          Active
                Active time:    922 (sec)

                  ctx-2 Interface dmz (10.2.2.1): Normal (Waiting)
                  ctx-2 Interface outside (192.168.1.7): Normal (Waiting)
                  ctx-1 Interface inside (10.1.1.1): Normal (Waiting)
                  ctx-1 Interface outside (192.168.1.5): Normal (Waiting)

  Other host:   Secondary
  Group 1       State:          Standby Ready
                Active time:    0 (sec)
  Group 2       State:          Standby Ready
                Active time:    0 (sec)

ASA1/sec/stby# sh failover state

               State          Last Failure Reason      Date/Time
This host  -   Secondary
    Group 1    Standby Ready  None
    Group 2    Standby Ready  None
Other host -   Primary
    Group 1    Active         Comm Failure             08:24:32 UTC Sep 25 2019
    Group 2    Active         Comm Failure             08:24:32 UTC Sep 25 2019

After 60 second
ASA1/sec/stby# sh failover state
        Group 2 preempt mate


               State          Last Failure Reason      Date/Time
This host  -   Secondary
    Group 1    Standby Ready  None
    Group 2    Active         None
Other host -   Primary
    Group 1    Active         Comm Failure             08:24:32 UTC Sep 25 2019
    Group 2    Active         Comm Failure             08:24:32 UTC Sep 25 2019
ASA1/pri/act# sh failover state

               State          Last Failure Reason      Date/Time
This host  -   Primary
    Group 1    Active         None
    Group 2    Standby Ready  None
Other host -   Secondary
    Group 1    Standby Ready  Comm Failure             08:09:49 UTC Sep 25 2019
    Group 2    Active         Comm Failure             08:09:49 UTC Sep 25 2019

Router Configuration
ip route 0.0.0.0 0.0.0.0 192.168.1.5
interface Ethernet0/0
 ip address 192.168.1.70 255.255.255.0
ip http server
ip http secure-server

ASA Verifcation when Request come from 10.1.1.211 to 1921.168.1.70 80
nat (inside,outside) source dynamic any interface
ASA1/pri/ctx-1/act(config)# show xlate
2 in use, 2 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
       s - static, T - twice, N - net-to-net
NAT from outside:0.0.0.0/0 to inside:0.0.0.0/0
    flags sIT idle 0:01:15 timeout 0:00:00
TCP PAT from inside:10.1.1.211/1203 to outside:192.168.1.5/1203 flags ri idle 0:00:03 timeout 0:00:30
ASA1/pri/ctx-1/act(config)# sh conn
5 in use, 5 most used
TCP outside  192.168.1.70:80 inside  10.1.1.211:1204, idle 0:00:26, bytes 0, flags Ux


ASA1/pri/act(config)# no failover active group 1
ASA1/pri/stby# sh failover state

               State          Last Failure Reason      Date/Time
This host  -   Primary
    Group 1    Standby Ready  None
    Group 2    Standby Ready  None
Other host -   Secondary
    Group 1    Active         Comm Failure             08:09:49 UTC Sep 25 2019
    Group 2    Active         Comm Failure             08:09:49 UTC Sep 25 2019


ASA1/sec/ctx-1/act# sh xlate
2 in use, 2 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
       s - static, T - twice, N - net-to-net
NAT from outside:0.0.0.0/0 to inside:0.0.0.0/0
    flags sIT idle 0:06:55 timeout 0:00:00
TCP PAT from inside:10.1.1.211/1207 to outside:192.168.1.5/1207 flags ri idle 0:00:29 timeout 0:00:30
ASA1/sec/ctx-1/act#
ASA1/pri/stby#failover active group 1
ASA1/pri/act# sh failover
Failover On
Failover unit Primary
Failover LAN Interface: fail-config Ethernet3 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 4 of 60 maximum
Version: Ours 9.1(5)16, Mate 9.1(5)16
Group 1 last failover at: 09:11:41 UTC Sep 25 2019
Group 2 last failover at: 08:25:31 UTC Sep 25 2019

  This host:    Primary
  Group 1       State:          Active
                Active time:    2 (sec)
  Group 2       State:          Standby Ready
                Active time:    960 (sec)

                  ctx-2 Interface dmz (10.2.2.2): Normal (Monitored)
                  ctx-2 Interface outside (192.168.1.8): Normal (Monitored)
                  ctx-1 Interface inside (10.1.1.1): Normal (Waiting)
                  ctx-1 Interface outside (192.168.1.5): Normal (Waiting)
ASA1/pri/ctx-1/act# sh xlate
3 in use, 3 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
       s - static, T - twice, N - net-to-net
NAT from outside:0.0.0.0/0 to inside:0.0.0.0/0
    flags sIT idle 0:09:44 timeout 0:00:00
TCP PAT from inside:10.1.1.211/1206 to outside:192.168.1.5/1206 flags ri idle 0:04:06 timeout 0:00:30
TCP PAT from inside:10.1.1.211/1205 to outside:192.168.1.5/1205 flags ri idle 0:05:11 timeout 0:00:30

Posted by at 2 comments:
Labels:
Subscribe to: Posts (Atom)