>From memory in Bhaiji's book, isn't static NAT processed before static PAT?
________________________________ From: [email protected] [mailto:[email protected]] On Behalf Of --Hammer-- Sent: 04 August 2010 16:34 To: Kingsley Charles Cc: [email protected] Subject: Re: [OSL | CCIE_Security] static nat order Careful with that "feature" word. :) I'm on CCO right now but this is kinda hard to confirm. I'll follow up soon. --Hammer-- On 8/4/2010 10:29 AM, Kingsley Charles wrote: I am also thinking on the same line. Just wanted to confirm, if it's a feature? With regards Kings On Wed, Aug 4, 2010 at 8:57 PM, --Hammer-- <[email protected]<mailto:[email protected]>> wrote: Isn't that "less specific rule first" being allowed and that is why Try 2 works? I'm asking more than telling. --Hammer-- On 8/4/2010 10:23 AM, Kingsley Charles wrote: Hi all If you check out the Try 1, I am not able to static PAT with 10.20.30.40 as there is a static rule for with 10.20.30.40. But if I try in the reverse order ASA accepts. Does that mean static rules are executed in order? Hence with Try 2 the static PAT is matched first and then static rule is matched or is it a bug? Try 1 asa(config)# static (inside,outisde) 1.2.3.4 10.20.30.40 asa(config)# static (inside,outisde) tcp 1.2.3.4 telnet 10.20.30.40 telnet ne$ ERROR: mapped-address conflict with existing static inside:10.20.30.40 to outisde:1.2.3.4 netmask 255.255.255.255 asa(config)# sh run static static (inside,outisde) 1.2.3.4 10.20.30.40 netmask 255.255.255.255 Try 2 asa(config)# static (inside,outisde) tcp 1.2.3.4 23 10.20.30.40 23 asa(config)# static (inside,outisde) 1.2.3.4 10.20.30.40 asa(config)# sh run static static (inside,outisde) tcp 1.2.3.4 telnet 10.20.30.40 telnet netmask 255.255.255.255 static (inside,outisde) 1.2.3.4 10.20.30.40 netmask 255.255.255.255 With regards Kings With regards Kings _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com<http://www.ipexpert.com> _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com<http://www.ipexpert.com> "This e-mail and any attachment(s) is intended for the recipient only. Its unauthorised use, disclosure, storage or copying is not permitted. Communications with Dstl is monitored and/or recorded for system efficiency and other lawful purposes, including business intelligence, business metrics and training. Any views or opinions expressed in this e-mail do not necessarily reflect Dstl policy." "If you are not the intended recipient, please remove it from your system and notify the author of the email and [email protected]"
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
