Thanks Kings it was helpful to understand Thanks Bobby Kind Regards Manish
On Sun, Nov 21, 2010 at 8:16 PM, Kingsley Charles < [email protected]> wrote: > In the access-list, first Ip is the inside and second ip is outside. > > Snippet from > http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/cfgnat.html#wp1042478 > > For policy static NAT (and for NAT exemption, which also uses an access > list to identify traffic), you can initiate traffic to and from the real > host. However, the destination address in the access list is only used for > traffic initiated by the real host. For traffic *to* the real host from > the destination network, the source address is not checked, and the first > matching NAT rule for the real host address is used. So if you configure > static policy NAT such as the following: > > > With regards > Kings > > On Sun, Nov 21, 2010 at 4:45 PM, manish ludhani < > [email protected]> wrote: > >> L10 10.10.10.10 >> >> | >> >> R1(1.1.1.10)--------(1.1.1.1)FW------------R2---L3 3.3.3.3 >> >> | >> >> L20 20.20.20.20 >> >> >> >> >> >> >> >> >> >> access-list LO10 extended permit ip host 3.3.3.3 host 10.10.10.10 >> >> access-list LO20 extended permit ip host 3.3.3.3 host 20.20.20.20 >> >> >> >> static (INSIDE,OUTSIDE) 1.1.1.3 access-list LO10 >> >> static (INSIDE,OUTSIDE) 1.1.1.4 access-list LO20 >> >> >> >> >> >> when I initiate ping from R2 sourced from L3 to L10 or L20 it works fine >> as expected >> >> however when I initiate ping from R1 source from any it just uses the >> xlate does not consider the access list >> >> >> >> Global 1.1.1.3 Local 3.3.3.3 >> >> Global 1.1.1.4 Local 3.3.3.3 >> >> >> >> However my understanding was the second ip in access list should be either >> source or the destination in order to do the translation so from R1 ping >> sourced from L10 to 1.1.1.3 and L20 to 1.1.1.4 should be translated rest >> should not. >> >> >> >> >> http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/nat_static.html#wp1074755 >> >> >> *“**Identify the real addresses and destination/source addresses using an >> extended access list. Create the extended access list using the access-list >> extended command. The first address in the access list is the real >> address; the second address is either the source or destination address, >> depending on where the traffic originates.”* >> ** >> ** >> >> Can any1 pls explain >> >> >> >> >> >> Thanks >> >> Kind Regards >> >> Manish >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
