Here is the output.. NibbsFire# show run static static (inside,outside) 10.3.3.3 access-list TEST ! access-list TEST extended permit tcp host 10.10.10.10 host 1.1.1.1 eq telnet will paste the test result shortly
Regards, Wale Ogunyemi ________________________________ From: Kingsley Charles <[email protected]> To: wale ogunyemi <[email protected]> Cc: Mark Senteza <[email protected]>; [email protected] Sent: Wed, December 8, 2010 7:00:26 AM Subject: Re: [OSL | CCIE_Security] Policy NAT on ASA Can you test it end to end and let us know, if the translation is happening as expected. Also please post "sh run static" O/P. With regards Kings On Wed, Dec 8, 2010 at 11:17 AM, wale ogunyemi <[email protected]> wrote: Sure i know you will use the nat and global command....but in my own case the static (inside,outside) 10.3.3.3 access-list TEST is accepted the ASA and the access-list is access-list TEST permit tcp host 10.10.10.10 host 1.1.1.1 eq telnet > > > > > > ________________________________ From: Kingsley Charles <[email protected]> >To: wale ogunyemi <[email protected]> >Cc: Mark Senteza <[email protected]>; [email protected] >Sent: Wed, December 8, 2010 6:37:14 AM >Subject: Re: [OSL | CCIE_Security] Policy NAT on ASA > > >When you specify tcp in the access-list and try to associate to the static >rule, >the ASA will give the following error. It's because by default "IP" protocol >is >considered for translation. > >When you have TCP or UDP in the access-list then it is a protocol mis-match as >ASA expects for IP. > > >The TCP or UDP based access-list should be used for static PAT only. > > >asa2(config)# access-list 123 permit tcp any any eq 23 >asa2(config)# static (inside,outside) 1.2.3.4 access-list 132 > >asa2(config)# static (inside,outside) 1.2.3.4 access-list 123 >ERROR: Protocol mismatch between the static and access-list > >asa2(config)# static (inside,outside) 1.2.3.4 access-list 132 >ERROR: Protocol mismatch between the static and access-list > > >The following will work which is static PAT. > >asa2(config)# access-list 312 permit tcp host 10.20.30.40 eq 23 any >asa2(config)# static (inside,outside) tcp 1.2.3.4 23 access-list 312 > > > >Hence option A should be the right answer and I guess that is the solution in >Yusuf's lab. >. >With regards >Kings > > >On Wed, Dec 8, 2010 at 9:35 AM, wale ogunyemi <[email protected]> wrote: > > >> >>Option A is the best solution but if you are told not to use thenat and >>global >>command to achieve this then Option B will be used but you still have to >>specify >>thetcp keyword to be correct because the way you have used your access-list >>will affect any other traffic other than telnet...the command set is will be >>like this >> >>static (inside,outside) tcp 192.168.6.61 23 access-list POLICY-NAT 23 >>This should be more appropriate >> >> ________________________________ From: Mark Senteza <[email protected]> >>To: [email protected] >>Sent: Wed, December 8, 2010 12:23:37 AM >>Subject: [OSL | CCIE_Security] Policy NAT on ASA >> >> >>Hi again everyone. >> >>A question about Policy NAT on the ASA, and the best option to pick. With >>Policy >>NAT I can use either one of the following options: >> >>What I'm trying to accomplish is that from Router R1, when I telnet to Router >>R4's loopback0 (10.4.4.4) using the R1 loopback0 interface (10.1.1.1), I >>should >>get the address translated to 192.168.6.61. But if I telnet from any other >>interface, I should get translated to 192.168.6.62 >> >>Option A >> >>access-list POLICY-NAT1 extended permit ip host 10.1.1.1 host 10.4.4.4 eq >telnet >> >>access-list POLICY-NAT2 extended permit ip any host 10.4.4.4 eq telnet >> >>nat (inside) 1 access-list POLICY-NAT1 >>global (outside) 1 192.168.6.61 >> >>nat (inside) 2 access-list POLICY-NAT2 >>global (outside) 2 192.168.6.62 >> >> >>Option B >> >>access-list POLICY-NAT1 extended permit ip host 10.1.1.1 host 10.4.4.4 >> >>access-list POLICY-NAT2 extended permit ip any host 10.4.4.4 >> >>static (inside,outside) 192.168.6.61 access-list POLICY-NAT1 >> >>static (inside,outside) 192.168.6.62 access-list POLICY-NAT2 >> >> >>I use Option A because I can be specific with defining the traffic from >>source >>to host as telnet traffic. With Option B I cannot, and even though when I do >>telnet I get translated to the IP I'm requested to get translated to, I also >>get >>translated to that same IP for all over traffic coming from host 10.1.1.1 to >>host 10.4.4.4. The question only specifies telnet, not any other traffic, so >>I >>guess I could care or careless about what happens to it just as long as the >>traffic in question gets translated. >> >>If presented with a question like this in the lab, and not told to use one >>way >>or the other, would option A be the best solution to provide, seeing that its >>as >>specific as can possibly get ? >> >>Mark >> >> >>_______________________________________________ >>For more information regarding industry leading CCIE Lab training, please >>visit >>www.ipexpert.com >> >> > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
