Re: [OSL | CCIE_Security] ASA PAT to DMZ.

Mon, 17 Aug 2009 08:26:26 -0700 

Simon,

You shouldn't enable SSH on the outside interface when trying to redirect
the port for another application as the ASA will then be listening on the
port.  Either way make sure you test it so you can see the outcome of the
configuration you do.

Regards,
 
Tyson Scott - CCIE #13513 R&S and Security
Technical Instructor - IPexpert, Inc.

Telephone: +1.810.326.1444 
Cell: +1.248.504.7309
Fax: +1.810.454.0130
Mailto:  [email protected]
 
Join our free online support and peer group communities:
http://www.IPexpert.com/communities
 
IPexpert - The Global Leader in Self-Study, Classroom-Based, Video On Demand
and Audio Certification Training Tools for the Cisco CCIE R&S Lab, CCIE
Security Lab, CCIE Service Provider Lab , CCIE Voice Lab and CCIE Storage
Lab Certifications.


-----Original Message-----
From: [email protected]
[mailto:[email protected]] On Behalf Of Simon
Baumann
Sent: Saturday, August 15, 2009 7:35 AM
To: [email protected]
Subject: [OSL | CCIE_Security] ASA PAT to DMZ.

Hi,
I got this err when I rebuilt the static on ASA1 (Lab1B,  
troubleshooting):

act(config)# static (DMZ7,outside) tcp interface ssh 10.7.7.100 ssh  
netmask 255.255.255.255
ERROR: unable to reserve port 22 for static PAT
ERROR: unable to download policy
Usage: [no] static [(real_ifc, mapped_ifc)]
                 {<mapped_ip>|interface}
                 {<real_ip> [netmask <mask>]} | {access-list <acl_name>}
                 [dns]
                 [[tcp] <max_conns> [<emb_lim> [<norandomseq>  
[nailed]]]]
                 [udp <max_conns>]
         [no] static [(real_ifc, mapped_ifc)] {tcp|udp}
                 {<mapped_ip>|interface} <mapped_port>
                 {<real_ip> <real_port> [netmask <mask>]} |
                 {access-list <acl_name>}
                 [dns]
                 [[tcp] <max_conns> [<emb_lim> [<norandomseq>  
[nailed]]]]
                 [udp <max_conns>]
         show running-config [all] static [<mapped_ip>]
         clear configure static

The err was already discussed:
http://www.mail-archive.com/[email protected]/msg01009.html

I disabled ssh on the outside interface, configured my static for DMZ7  
and enabled ssh again. Would that be a valid workaround?

Have a great weekend
Simon



_______________________________________________
For more information regarding industry leading CCIE Lab training, please
visit www.ipexpert.com

_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

Reply via email to