Option A is the best solution but if you are told not to use thenat and global command to achieve this then Option B will be used but you still have to specify thetcp keyword to be correct because the way you have used your access-list will affect any other traffic other than telnet...the command set is will be like this
static (inside,outside) tcp 192.168.6.61 23 access-list POLICY-NAT 23 This should be more appropriate ________________________________ From: Mark Senteza <[email protected]> To: [email protected] Sent: Wed, December 8, 2010 12:23:37 AM Subject: [OSL | CCIE_Security] Policy NAT on ASA Hi again everyone. A question about Policy NAT on the ASA, and the best option to pick. With Policy NAT I can use either one of the following options: What I'm trying to accomplish is that from Router R1, when I telnet to Router R4's loopback0 (10.4.4.4) using the R1 loopback0 interface (10.1.1.1), I should get the address translated to 192.168.6.61. But if I telnet from any other interface, I should get translated to 192.168.6.62 Option A access-list POLICY-NAT1 extended permit ip host 10.1.1.1 host 10.4.4.4 eq telnet access-list POLICY-NAT2 extended permit ip any host 10.4.4.4 eq telnet nat (inside) 1 access-list POLICY-NAT1 global (outside) 1 192.168.6.61 nat (inside) 2 access-list POLICY-NAT2 global (outside) 2 192.168.6.62 Option B access-list POLICY-NAT1 extended permit ip host 10.1.1.1 host 10.4.4.4 access-list POLICY-NAT2 extended permit ip any host 10.4.4.4 static (inside,outside) 192.168.6.61 access-list POLICY-NAT1 static (inside,outside) 192.168.6.62 access-list POLICY-NAT2 I use Option A because I can be specific with defining the traffic from source to host as telnet traffic. With Option B I cannot, and even though when I do telnet I get translated to the IP I'm requested to get translated to, I also get translated to that same IP for all over traffic coming from host 10.1.1.1 to host 10.4.4.4. The question only specifies telnet, not any other traffic, so I guess I could care or careless about what happens to it just as long as the traffic in question gets translated. If presented with a question like this in the lab, and not told to use one way or the other, would option A be the best solution to provide, seeing that its as specific as can possibly get ? Mark
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
