When you specify tcp in the access-list and try to associate to the static rule, the ASA will give the following error. It's because by default "IP" protocol is considered for translation.
When you have TCP or UDP in the access-list then it is a protocol mis-match as ASA expects for IP. The TCP or UDP based access-list should be used for static PAT only. asa2(config)# access-list 123 permit tcp any any eq 23 asa2(config)# static (inside,outside) 1.2.3.4 access-list 132 asa2(config)# static (inside,outside) 1.2.3.4 access-list 123 ERROR: Protocol mismatch between the static and access-list asa2(config)# static (inside,outside) 1.2.3.4 access-list 132 ERROR: Protocol mismatch between the static and access-list The following will work which is static PAT. asa2(config)# access-list 312 permit tcp host 10.20.30.40 eq 23 any asa2(config)# static (inside,outside) tcp 1.2.3.4 23 access-list 312 Hence option A should be the right answer and I guess that is the solution in Yusuf's lab. . With regards Kings On Wed, Dec 8, 2010 at 9:35 AM, wale ogunyemi <[email protected]>wrote: > > Option A is the best solution but if you are told not to use the nat and > global command to achieve this then Option B will be used but you still > have to specify the tcp keyword to be correct because the way you have > used your access-list will affect any other traffic other than telnet...the > command set is will be like this > static (inside,outside) tcp 192.168.6.61 23 access-list POLICY-NAT 23 > This should be more appropriate > ------------------------------ > *From:* Mark Senteza <[email protected]> > *To:* [email protected] > *Sent:* Wed, December 8, 2010 12:23:37 AM > *Subject:* [OSL | CCIE_Security] Policy NAT on ASA > > Hi again everyone. > > A question about Policy NAT on the ASA, and the best option to pick. With > Policy NAT I can use either one of the following options: > > What I'm trying to accomplish is that from Router R1, when I telnet to > Router R4's loopback0 (10.4.4.4) using the R1 loopback0 interface > (10.1.1.1), I should get the address translated to 192.168.6.61. But if I > telnet from any other interface, I should get translated to 192.168.6.62 > > *Option A* > > access-list POLICY-NAT1 extended permit ip host 10.1.1.1 host 10.4.4.4 eq > telnet > > access-list POLICY-NAT2 extended permit ip any host 10.4.4.4 eq telnet > > nat (inside) 1 access-list POLICY-NAT1 > global (outside) 1 192.168.6.61 > > nat (inside) 2 access-list POLICY-NAT2 > global (outside) 2 192.168.6.62 > > > *Option B* > > access-list POLICY-NAT1 extended permit ip host 10.1.1.1 host 10.4.4.4 > > access-list POLICY-NAT2 extended permit ip any host 10.4.4.4 > > static (inside,outside) 192.168.6.61 access-list POLICY-NAT1 > > static (inside,outside) 192.168.6.62 access-list POLICY-NAT2 > > > I use Option A because I can be specific with defining the traffic from > source to host as telnet traffic. With Option B I cannot, and even though > when I do telnet I get translated to the IP I'm requested to get translated > to, I also get translated to that same IP for all over traffic coming from > host 10.1.1.1 to host 10.4.4.4. The question only specifies telnet, not any > other traffic, so I guess I could care or careless about what happens to it > just as long as the traffic in question gets translated. > > If presented with a question like this in the lab, and not told to use one > way or the other, would option A be the best solution to provide, seeing > that its as specific as can possibly get ? > > Mark > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
