Sure i know you will use the nat and global command....but in my own case the static (inside,outside) 10.3.3.3 access-list TEST is accepted the ASA and the access-list is access-list TEST permit tcp host 10.10.10.10 host 1.1.1.1 eq telnet
________________________________ From: Kingsley Charles <[email protected]> To: wale ogunyemi <[email protected]> Cc: Mark Senteza <[email protected]>; [email protected] Sent: Wed, December 8, 2010 6:37:14 AM Subject: Re: [OSL | CCIE_Security] Policy NAT on ASA When you specify tcp in the access-list and try to associate to the static rule, the ASA will give the following error. It's because by default "IP" protocol is considered for translation. When you have TCP or UDP in the access-list then it is a protocol mis-match as ASA expects for IP. The TCP or UDP based access-list should be used for static PAT only. asa2(config)# access-list 123 permit tcp any any eq 23 asa2(config)# static (inside,outside) 1.2.3.4 access-list 132 asa2(config)# static (inside,outside) 1.2.3.4 access-list 123 ERROR: Protocol mismatch between the static and access-list asa2(config)# static (inside,outside) 1.2.3.4 access-list 132 ERROR: Protocol mismatch between the static and access-list The following will work which is static PAT. asa2(config)# access-list 312 permit tcp host 10.20.30.40 eq 23 any asa2(config)# static (inside,outside) tcp 1.2.3.4 23 access-list 312 Hence option A should be the right answer and I guess that is the solution in Yusuf's lab. . With regards Kings On Wed, Dec 8, 2010 at 9:35 AM, wale ogunyemi <[email protected]> wrote: > >Option A is the best solution but if you are told not to use thenat and global >command to achieve this then Option B will be used but you still have to >specify >thetcp keyword to be correct because the way you have used your access-list >will affect any other traffic other than telnet...the command set is will be >like this > >static (inside,outside) tcp 192.168.6.61 23 access-list POLICY-NAT 23 >This should be more appropriate > > ________________________________ From: Mark Senteza <[email protected]> >To: [email protected] >Sent: Wed, December 8, 2010 12:23:37 AM >Subject: [OSL | CCIE_Security] Policy NAT on ASA > > >Hi again everyone. > >A question about Policy NAT on the ASA, and the best option to pick. With >Policy >NAT I can use either one of the following options: > >What I'm trying to accomplish is that from Router R1, when I telnet to Router >R4's loopback0 (10.4.4.4) using the R1 loopback0 interface (10.1.1.1), I >should >get the address translated to 192.168.6.61. But if I telnet from any other >interface, I should get translated to 192.168.6.62 > >Option A > >access-list POLICY-NAT1 extended permit ip host 10.1.1.1 host 10.4.4.4 eq telnet > >access-list POLICY-NAT2 extended permit ip any host 10.4.4.4 eq telnet > >nat (inside) 1 access-list POLICY-NAT1 >global (outside) 1 192.168.6.61 > >nat (inside) 2 access-list POLICY-NAT2 >global (outside) 2 192.168.6.62 > > >Option B > >access-list POLICY-NAT1 extended permit ip host 10.1.1.1 host 10.4.4.4 > >access-list POLICY-NAT2 extended permit ip any host 10.4.4.4 > >static (inside,outside) 192.168.6.61 access-list POLICY-NAT1 > >static (inside,outside) 192.168.6.62 access-list POLICY-NAT2 > > >I use Option A because I can be specific with defining the traffic from source >to host as telnet traffic. With Option B I cannot, and even though when I do >telnet I get translated to the IP I'm requested to get translated to, I also >get >translated to that same IP for all over traffic coming from host 10.1.1.1 to >host 10.4.4.4. The question only specifies telnet, not any other traffic, so I >guess I could care or careless about what happens to it just as long as the >traffic in question gets translated. > >If presented with a question like this in the lab, and not told to use one way >or the other, would option A be the best solution to provide, seeing that its >as >specific as can possibly get ? > >Mark > > >_______________________________________________ >For more information regarding industry leading CCIE Lab training, please >visit >www.ipexpert.com > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
