Hi again everyone. A question about Policy NAT on the ASA, and the best option to pick. With Policy NAT I can use either one of the following options:
What I'm trying to accomplish is that from Router R1, when I telnet to Router R4's loopback0 (10.4.4.4) using the R1 loopback0 interface (10.1.1.1), I should get the address translated to 192.168.6.61. But if I telnet from any other interface, I should get translated to 192.168.6.62 *Option A* access-list POLICY-NAT1 extended permit ip host 10.1.1.1 host 10.4.4.4 eq telnet access-list POLICY-NAT2 extended permit ip any host 10.4.4.4 eq telnet nat (inside) 1 access-list POLICY-NAT1 global (outside) 1 192.168.6.61 nat (inside) 2 access-list POLICY-NAT2 global (outside) 2 192.168.6.62 *Option B* access-list POLICY-NAT1 extended permit ip host 10.1.1.1 host 10.4.4.4 access-list POLICY-NAT2 extended permit ip any host 10.4.4.4 static (inside,outside) 192.168.6.61 access-list POLICY-NAT1 static (inside,outside) 192.168.6.62 access-list POLICY-NAT2 I use Option A because I can be specific with defining the traffic from source to host as telnet traffic. With Option B I cannot, and even though when I do telnet I get translated to the IP I'm requested to get translated to, I also get translated to that same IP for all over traffic coming from host 10.1.1.1 to host 10.4.4.4. The question only specifies telnet, not any other traffic, so I guess I could care or careless about what happens to it just as long as the traffic in question gets translated. If presented with a question like this in the lab, and not told to use one way or the other, would option A be the best solution to provide, seeing that its as specific as can possibly get ? Mark
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
