So it's not in the NAT order of operations guide on CCO. But, I did find
an example where something similar was used.
I think the idea is that you can do a per-port NAT (not PAT/overload) to
different IPs or the same. As long as the more specific (Think ACL
operations) statics are applied first. If anyone has something clearly
stating this I would love to see it.
MIGHT REQUIRE CCO ACCESS
http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps2030/products_tech_note09186a00804708b4.shtml
static (inside,outside) tcp 172.18.124.99 telnet 10.1.1.6
telnet netmask 255.255.255.255 0 0
static (inside,outside) tcp 172.18.124.99 ftp 10.1.1.3
ftp netmask 255.255.255.255 0 0
--Hammer--
On 8/4/2010 10:29 AM, Kingsley Charles wrote:
I am also thinking on the same line. Just wanted to confirm, if it's a
feature?
With regards
Kings
On Wed, Aug 4, 2010 at 8:57 PM, --Hammer-- <[email protected]
<mailto:[email protected]>> wrote:
Isn't that "less specific rule first" being allowed and that is
why Try 2 works? I'm asking more than telling.
--Hammer--
On 8/4/2010 10:23 AM, Kingsley Charles wrote:
Hi all
If you check out the Try 1, I am not able to static PAT with
10.20.30.40 as there is a static rule for with 10.20.30.40. But
if I try in the reverse order ASA accepts.
Does that mean static rules are executed in order? Hence with Try
2 the static PAT is matched first and then static rule is matched
or is it a bug?
*Try 1*
asa(config)# static (inside,outisde) 1.2.3.4 10.20.30.40
asa(config)# static (inside,outisde) tcp 1.2.3.4 telnet
10.20.30.40 telnet ne$
ERROR: mapped-address conflict with existing static
inside:10.20.30.40 to outisde:1.2.3.4 netmask 255.255.255.255
asa(config)# sh run static
static (inside,outisde) 1.2.3.4 10.20.30.40 netmask 255.255.255.255
*Try 2*
asa(config)# static (inside,outisde) tcp 1.2.3.4 23 10.20.30.40 23
asa(config)# static (inside,outisde) 1.2.3.4 10.20.30.40
asa(config)# sh run static
static (inside,outisde) tcp 1.2.3.4 telnet 10.20.30.40 telnet
netmask 255.255.255.255
static (inside,outisde) 1.2.3.4 10.20.30.40 netmask 255.255.255.255
With regards
Kings
With regards
Kings
_______________________________________________
For more information regarding industry leading CCIE Lab training, please
visitwww.ipexpert.com <http://www.ipexpert.com>
_______________________________________________
For more information regarding industry leading CCIE Lab training,
please visit www.ipexpert.com <http://www.ipexpert.com>
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
