But that conflicts with the example at the bottom. The order in which
they are configured dictates whether both entries are actually allowed
or not. Am I missing something?
--Hammer--
On 8/4/2010 11:42 AM, Tyson Scott wrote:
The order of operations is this:
The ASA checks the static NAT/PAT entries in sequential order.
Meaning they both have the same precedence so the order will be
determined by configuration order.
The sequential order is the order they are configured on the ASA.
This should answer your questions.
Regards,
Tyson Scott - CCIE #13513 R&S, Security, and SP
Managing Partner / Sr. Instructor - IPexpert, Inc.
Mailto: [email protected] <mailto:[email protected]>
Telephone: +1.810.326.1444, ext. 208
Live Assistance, Please visit: www.ipexpert.com/chat
<http://www.ipexpert.com/chat>
eFax: +1.810.454.0130
IPexpert is a premier provider of Self-Study Workbooks, Video on
Demand, Audio Tools, Online Hardware Rental and Classroom Training for
the Cisco CCIE (R&S, Voice, Security & Service Provider)
certification(s) with training locations throughout the United States,
Europe, South Asia and Australia. Be sure to visit our online
communities at www.ipexpert.com/communities
<http://www.ipexpert.com/communities> and our public website at
www.ipexpert.com <http://www.ipexpert.com/>
*From:* [email protected]
[mailto:[email protected]] *On Behalf Of
*--Hammer--
*Sent:* Wednesday, August 04, 2010 11:54 AM
*To:* Kingsley Charles
*Cc:* [email protected]
*Subject:* Re: [OSL | CCIE_Security] static nat order
So it's not in the NAT order of operations guide on CCO. But, I did
find an example where something similar was used.
I think the idea is that you can do a per-port NAT (not PAT/overload)
to different IPs or the same. As long as the more specific (Think ACL
operations) statics are applied first. If anyone has something clearly
stating this I would love to see it.
MIGHT REQUIRE CCO ACCESS
http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps2030/products_tech_note09186a00804708b4.shtml
static (inside,outside) tcp 172.18.124.99 telnet 10.1.1.6
telnet netmask 255.255.255.255 0 0
static (inside,outside) tcp 172.18.124.99 ftp 10.1.1.3
ftp netmask 255.255.255.255 0 0
--Hammer--
On 8/4/2010 10:29 AM, Kingsley Charles wrote:
I am also thinking on the same line. Just wanted to confirm, if it's a
feature?
With regards
Kings
On Wed, Aug 4, 2010 at 8:57 PM, --Hammer-- <[email protected]
<mailto:[email protected]>> wrote:
Isn't that "less specific rule first" being allowed and that is why
Try 2 works? I'm asking more than telling.
--Hammer--
On 8/4/2010 10:23 AM, Kingsley Charles wrote:
Hi all
If you check out the Try 1, I am not able to static PAT with
10.20.30.40 as there is a static rule for with 10.20.30.40. But if
I try in the reverse order ASA accepts.
Does that mean static rules are executed in order? Hence with Try
2 the static PAT is matched first and then static rule is matched
or is it a bug?
*Try 1*
asa(config)# static (inside,outisde) 1.2.3.4 10.20.30.40
asa(config)# static (inside,outisde) tcp 1.2.3.4 telnet
10.20.30.40 telnet ne$
ERROR: mapped-address conflict with existing static
inside:10.20.30.40 to outisde:1.2.3.4 netmask 255.255.255.255
asa(config)# sh run static
static (inside,outisde) 1.2.3.4 10.20.30.40 netmask 255.255.255.255
*Try 2*
asa(config)# static (inside,outisde) tcp 1.2.3.4 23 10.20.30.40 23
asa(config)# static (inside,outisde) 1.2.3.4 10.20.30.40
asa(config)# sh run static
static (inside,outisde) tcp 1.2.3.4 telnet 10.20.30.40 telnet
netmask 255.255.255.255
static (inside,outisde) 1.2.3.4 10.20.30.40 netmask 255.255.255.255
With regards
Kings
With regards
Kings
_______________________________________________
For more information regarding industry leading CCIE Lab training, please
visitwww.ipexpert.com <http://www.ipexpert.com>
_______________________________________________
For more information regarding industry leading CCIE Lab training,
please visit www.ipexpert.com <http://www.ipexpert.com>
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
