That's strange coz mine just keeps on throwing up that error message and I cant get it to work.
On Tue, Dec 7, 2010 at 9:18 PM, wale ogunyemi <[email protected]>wrote: > Here is my Configs from my Life ASA > NibbsFire(config)# show run | inc TEST > access-list TEST extended permit tcp host 10.10.10.10 host 1.1.1.1 eq > telnet > static (inside,outside) 10.3.3.3 access-list TEST > > ------------------------------ > *From:* Mark Senteza <[email protected]> > *To:* wale ogunyemi <[email protected]> > *Sent:* Wed, December 8, 2010 5:52:15 AM > > *Subject:* Re: [OSL | CCIE_Security] Policy NAT on ASA > > How did you get it to work ? I'm still getting the same error message > > access-list POLICY-NAT extended permit tcp host 10.1.1.1 host 10.3.3.3 eq > telnet > ASA(config)# static (inside,outside) 10.3.3.33 access-list POLICY-NAT > ERROR: Protocol mismatch between the static and access-list > > On Tue, Dec 7, 2010 at 8:34 PM, wale ogunyemi <[email protected]>wrote: > >> You are actually right....but we can still restrict the access-list to >> match only telnet traffic. and the use >> >> access-list POLICY-NAT permit tcp host 10.1.1.1 host 10.3.3.3 eq telnet >> static ( inside,outside) 10.3.3.33 access-list POLICY-NAT >> i justed tested it now and it worked. >> >> ------------------------------ >> *From:* Mark Senteza <[email protected]> >> *To:* wale ogunyemi <[email protected]> >> *Sent:* Wed, December 8, 2010 5:16:29 AM >> *Subject:* Re: [OSL | CCIE_Security] Policy NAT on ASA >> >> Wale, >> >> I cant do it that way. I always get a "protocol mismatch" error message, >> as follows: >> >> ASA(config)# access-list POLICY-NAT ext permit ip host 10.1.1.1 host >> 10.3.3.3 >> ASA(config)# static (inside,outside) tcp 10.3.3.33 23 access-list >> POLICY-NAT >> ERROR: Protocol mismatch between the static and access-list >> >> Or when I try this >> >> ASA(config)# access-list POLICY-NAT ext permit tcp host 10.1.1.1 host >> 10.3.3.3 >> ASA(config)# static (inside,outside) tcp 10.3.3.33 23 access-list >> POLICY-NAT >> ERROR: Missing local port in access-list used in static pat >> ASA(config)# >> >> It seems if not given restrictions on how to configure it, then Option A >> is always the way to go. >> >> Mark >> >> >> >> On Tue, Dec 7, 2010 at 8:05 PM, wale ogunyemi >> <[email protected]>wrote: >> >>> >>> Option A is the best solution but if you are told not to use the nat and >>> global command to achieve this then Option B will be used but you still >>> have to specify the tcp keyword to be correct because the way you have >>> used your access-list will affect any other traffic other than telnet...the >>> command set is will be like this >>> static (inside,outside) tcp 192.168.6.61 23 access-list POLICY-NAT 23 >>> This should be more appropriate >>> ------------------------------ >>> *From:* Mark Senteza <[email protected]> >>> *To:* [email protected] >>> *Sent:* Wed, December 8, 2010 12:23:37 AM >>> *Subject:* [OSL | CCIE_Security] Policy NAT on ASA >>> >>> Hi again everyone. >>> >>> A question about Policy NAT on the ASA, and the best option to pick. With >>> Policy NAT I can use either one of the following options: >>> >>> What I'm trying to accomplish is that from Router R1, when I telnet to >>> Router R4's loopback0 (10.4.4.4) using the R1 loopback0 interface >>> (10.1.1.1), I should get the address translated to 192.168.6.61. But if I >>> telnet from any other interface, I should get translated to 192.168.6.62 >>> >>> *Option A* >>> >>> access-list POLICY-NAT1 extended permit ip host 10.1.1.1 host 10.4.4.4 eq >>> telnet >>> >>> access-list POLICY-NAT2 extended permit ip any host 10.4.4.4 eq telnet >>> >>> nat (inside) 1 access-list POLICY-NAT1 >>> global (outside) 1 192.168.6.61 >>> >>> nat (inside) 2 access-list POLICY-NAT2 >>> global (outside) 2 192.168.6.62 >>> >>> >>> *Option B* >>> >>> access-list POLICY-NAT1 extended permit ip host 10.1.1.1 host 10.4.4.4 >>> >>> access-list POLICY-NAT2 extended permit ip any host 10.4.4.4 >>> >>> static (inside,outside) 192.168.6.61 access-list POLICY-NAT1 >>> >>> static (inside,outside) 192.168.6.62 access-list POLICY-NAT2 >>> >>> >>> I use Option A because I can be specific with defining the traffic from >>> source to host as telnet traffic. With Option B I cannot, and even though >>> when I do telnet I get translated to the IP I'm requested to get translated >>> to, I also get translated to that same IP for all over traffic coming from >>> host 10.1.1.1 to host 10.4.4.4. The question only specifies telnet, not any >>> other traffic, so I guess I could care or careless about what happens to it >>> just as long as the traffic in question gets translated. >>> >>> If presented with a question like this in the lab, and not told to use >>> one way or the other, would option A be the best solution to provide, seeing >>> that its as specific as can possibly get ? >>> >>> Mark >>> >>> >> >> > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
