Can you test it end to end and let us know, if the translation is happening as expected.
Also please post "sh run static" O/P. With regards Kings On Wed, Dec 8, 2010 at 11:17 AM, wale ogunyemi <[email protected]>wrote: > Sure i know you will use the nat and global command....but in my own case > the static (inside,outside) 10.3.3.3 access-list TEST is accepted the ASA > and the access-list is access-list TEST permit tcp host 10.10.10.10 host > 1.1.1.1 eq telnet > > > > ------------------------------ > *From:* Kingsley Charles <[email protected]> > *To:* wale ogunyemi <[email protected]> > *Cc:* Mark Senteza <[email protected]>; > [email protected] > *Sent:* Wed, December 8, 2010 6:37:14 AM > *Subject:* Re: [OSL | CCIE_Security] Policy NAT on ASA > > When you specify tcp in the access-list and try to associate to the static > rule, the ASA will give the following error. It's because by default "IP" > protocol is considered for translation. > > When you have TCP or UDP in the access-list then it is a protocol mis-match > as ASA expects for IP. > > The TCP or UDP based access-list should be used for static PAT only. > > > asa2(config)# access-list 123 permit tcp any any eq 23 > asa2(config)# static (inside,outside) 1.2.3.4 access-list 132 > > asa2(config)# static (inside,outside) 1.2.3.4 access-list 123 > ERROR: Protocol mismatch between the static and access-list > > asa2(config)# static (inside,outside) 1.2.3.4 access-list 132 > ERROR: Protocol mismatch between the static and access-list > > > The following will work which is static PAT. > > asa2(config)# access-list 312 permit tcp host 10.20.30.40 eq 23 any > asa2(config)# static (inside,outside) tcp 1.2.3.4 23 access-list 312 > > > > Hence option A should be the right answer and I guess that is the solution > in Yusuf's lab. > . > With regards > Kings > > On Wed, Dec 8, 2010 at 9:35 AM, wale ogunyemi <[email protected]>wrote: > >> >> Option A is the best solution but if you are told not to use the nat and >> global command to achieve this then Option B will be used but you still >> have to specify the tcp keyword to be correct because the way you have >> used your access-list will affect any other traffic other than telnet...the >> command set is will be like this >> static (inside,outside) tcp 192.168.6.61 23 access-list POLICY-NAT 23 >> This should be more appropriate >> ------------------------------ >> *From:* Mark Senteza <[email protected]> >> *To:* [email protected] >> *Sent:* Wed, December 8, 2010 12:23:37 AM >> *Subject:* [OSL | CCIE_Security] Policy NAT on ASA >> >> Hi again everyone. >> >> A question about Policy NAT on the ASA, and the best option to pick. With >> Policy NAT I can use either one of the following options: >> >> What I'm trying to accomplish is that from Router R1, when I telnet to >> Router R4's loopback0 (10.4.4.4) using the R1 loopback0 interface >> (10.1.1.1), I should get the address translated to 192.168.6.61. But if I >> telnet from any other interface, I should get translated to 192.168.6.62 >> >> *Option A* >> >> access-list POLICY-NAT1 extended permit ip host 10.1.1.1 host 10.4.4.4 eq >> telnet >> >> access-list POLICY-NAT2 extended permit ip any host 10.4.4.4 eq telnet >> >> nat (inside) 1 access-list POLICY-NAT1 >> global (outside) 1 192.168.6.61 >> >> nat (inside) 2 access-list POLICY-NAT2 >> global (outside) 2 192.168.6.62 >> >> >> *Option B* >> >> access-list POLICY-NAT1 extended permit ip host 10.1.1.1 host 10.4.4.4 >> >> access-list POLICY-NAT2 extended permit ip any host 10.4.4.4 >> >> static (inside,outside) 192.168.6.61 access-list POLICY-NAT1 >> >> static (inside,outside) 192.168.6.62 access-list POLICY-NAT2 >> >> >> I use Option A because I can be specific with defining the traffic from >> source to host as telnet traffic. With Option B I cannot, and even though >> when I do telnet I get translated to the IP I'm requested to get translated >> to, I also get translated to that same IP for all over traffic coming from >> host 10.1.1.1 to host 10.4.4.4. The question only specifies telnet, not any >> other traffic, so I guess I could care or careless about what happens to it >> just as long as the traffic in question gets translated. >> >> If presented with a question like this in the lab, and not told to use one >> way or the other, would option A be the best solution to provide, seeing >> that its as specific as can possibly get ? >> >> Mark >> >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
