Re: [OSL | CCIE_Security] Static policy nat

Mon, 21 Jun 2010 00:48:32 -0700

Hi Kings,

true, but Sumit used a tcp and port specification in the access-list, but not the tcp keyword in the static. 
So that's where the mismatch is..

PJ

On 21 jun 2010, at 09:20, Kingsley Charles wrote:

Hi PJ

When we use access-list for port redirection, we can't use destination port rather use source port number as following:

static (outside,inside) tcp 172.8.7.31 23 access-list nat-1

access-list NAT-1 extended permit tcp host 172.8.6.4 eq 23 host 172.8.52.5


If we use don't specify local port, we will get this error:

ERROR: Missing local port in access-list used in static pat


Wih regards
Kings

On Sun, Jun 20, 2010 at 11:00 PM, Pieter-Jan Nefkens <[email protected]> wrote:
Hi Sumit,

The access-list specifies a specific protocol (telnet) that should be matched for the translation, but in your static configuration, you specifiy the whole ip-address to be translated (so both tcp and udp). And that doesn't match up.

The asa can't detemine in a single way what to needs be translated (e.g. mixing up pat and nat).

You could better do:
access-list nat-1 permit ip host 172.8.6.4 host 172.8.52.5
static (outside,inside) 172.8.731 access-list nat-1

Or use tcp ports (I think it's possible) and do
static (outside,inside) tcp 172.8.7.31 23 access-list nat-1

Pieter-Jan


On 20 jun 2010, at 19:14, Sumit Mahla wrote:

Hello All,
 
 
 
ASA2(config)# access-list NAT-1 extended permit tcp host 172.8.6.4 host
ASA2(config)# access-list NAT-1 extended permit tcp host 172.8.6.4 host 172.8.52.5 eq 23
ASA2(config)# sta
ASA2(config)# static (ou,in) 172.8.7.31 acc
ASA2(config)# static (ou,in) 172.8.7.31 access-list NAT-1
ERROR: Protocol mismatch between the static and access-list
ASA2(config)#

 
 
why do i get this error... i am using ASA 8.2.........sometime i do not get this error... some of my friend do not get this error....
 
Please suggest...
 
 
Regards
 

Chin music and high voltage T20 action on MSN Sports Sign up now. _______________________________________________
For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com

---
Nefkens Advies
Enk 26
4214 DD Vuren
The Netherlands

Tel: +31 183 634730
Fax: +31 183 690113
Cell: +31 654 323221

 Think before you print.





_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com



---

Nefkens Advies

Enk 26

4214 DD Vuren

The Netherlands


Tel: +31 183 634730

Fax: +31 183 690113

Cell: +31 654 323221

Email: [email protected]

Web: http://www.nefkensadvies.nl/


 Think before you print.




_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

Reply via email to