Doubt: Do we really need the 2nd access policy from outside to inside ( 100.1.2.1 to 100.1.1.1) ? In ASA, vpn traffic is exempted for acl filtering on outside interface with "sysopt vpn traffic" command. However let's say it needed, then why we put the NAT IP of inside zone as destination in the rule rather the original subnet(10.1.1.0/24), as we know, after the destination nat look up ,policy look up will be happened. So post dest nat look up it will be changed to 10.1.1.0 and policy will check for destination as 10.1.1.0 not 100.1.1.0/24
In Nat Site1-to-site 2 you've configured Source and Destination nat with bidirectional . Then why we need Site2-to-site1 Natting ? I think Bidirectional Nat will work if traffic would be generated through site 2 . Please correct me if i am wrong
Can you please explain this comparing to the life of a packet flow in Palo alto ?? basically when return traffic-> 100.1.2 to 100.1.1- > first it will look for Destination NAT - As there is DNAT 100.1.1 to 10.1.1 but again it will check for the security policy in which there is no policy allowed from Outside to inside with source- 100.1.2 to 10.1.1 right ?? can you please answer to this doubt? am I missing anything?
Do you have a video on how to configure a windows pc on eve-ng? I tried with windows 11 virtual pc, but the hard drive size of the vm needs to be 80g and it would consume the hard drive space that I allocated for the eve-ng environment. I had to increase the size a couple times of the eve-ng hard disk to accommodate the virtual windows pc. What do you recommend is the best image to use in eve-ng which is the lighest and does not consume much disk space?
Hello Marrr, You can follow this video (ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-Nz4egjiPDqE.html). For eve ng i have allocated 500GB SSD, actually images and lab take more space.
Hi Bikash, great videos.. Thank you for them.. please help me understand if we are doing the static NAT why we are the whole network instead of single IP?
At 24:07 your 2nd NAT rule is wrong. The destination zone is still the outside because it's not translated yet. What security zone did you put 100.1.1.0 and 100.1.2.0 in?
@@shivsankar455 I actually wasn't right. For a moment think of a classic port-forwarding NAT rule you've added. E.g. webserver 443/tcp translated to an internal address. Your destination zone would still be the outside zone (WAN). And the translated address would belong to an internal zone (DMZ). That's because those who are visiting your webserver do NOT know of the internal addresses. And they are visiting using the WAN address. But with this IPSEC example, there are static routes in place for the internal addresses, so the destination zone is just your internal zone (LAN) and not the outside zone. The bidirectional option isn't needed. You've already created two rules in both directions. The bidirectional option never worked properly for me if you filled in the destination address values. It's just better to create two separate rules without that option.
