The following is incorrect. With static policy rule, you can't use destination port numbers. You can do it only with policy nat (nat/global commands)
access-list acl1 extended permit tcp host 10.1.1.1 host 10.4.4.4 eq telnet static (inside,outside) 192.168.6.61 acl1 With regards Kings On Mon, Jul 2, 2012 at 2:28 PM, Ben Shaw <[email protected]> wrote: > Hi All > > one of the requirements in Yusuf's second Lab is to source NAT the address > 10.1.1.1 to 192.168.6.61 for telnet connections to 10.4.4.4. To do so I > configured the following > > access-list acl1 extended permit tcp host 10.1.1.1 host 10.4.4.4 eq telnet > static (inside,outside) 192.168.6.61 acl1 > > However this did not translate the source address and the connection was > allowed to pass to 10.4.4.4 using the untranslated source address of > 10.4.4.4. I performed a packet tracer and got the following output: > > > ASA1/c1# packet-tracer input inside tcp 10.1.1.1 50000 10.4.4.4 telnet > <snip> > Phase: 9 > Type: NAT > Subtype: host-limits > Result: ALLOW > Config: > static (inside,outside) 192.168.6.61 access-list acl1 > match tcp inside host 10.1.1.1 outside host 10.4.4.4 eq 23 > static translation to 192.168.6.61/33135 > translate_hits = 0, untranslate_hits = 0 > Additional Information: > <snip> > Result: > input-interface: inside > input-status: up > input-line-status: up > output-interface: outside > output-status: up > output-line-status: up > Action: allow > ASA1/c1# > > > From this output it looks as though the translation will work as desired > but when I try actually perform the connection I get the following: > > > R1#show ip interface brief | i Loopback0 > Loopback0 10.1.1.1 YES NVRAM > up up > R1#telnet 10.4.4.4 /source-interface loopback 0 > Trying 10.4.4.4 ... Open > User Access Verification > Password: > R4>who > Line User Host(s) Idle Location > 0 con 0 idle 01:17:56 > * 98 vty 0 idle 00:00:00 10.1.1.1 > Interface User Mode Idle Peer Address > R4> > > > However, when I change the ACL and match just the IP address like this > > > access-list acl2 extended permit ip host 10.1.1.1 host 10.4.4.4 log > static (inside,outside) 192.168.6.61 access-list acl2 > > > everything seems to work fine as show below: > > > R1#telnet 10.4.4.4 /source-interface loopback 0 > Trying 10.4.4.4 ... Open > User Access Verification > Password: > R4>who > Line User Host(s) Idle Location > 0 con 0 idle 01:21:44 > * 98 vty 0 idle 00:00:00 192.168.6.61 > Interface User Mode Idle Peer Address > R4> > > > I was quite certain that policy NAT allows NAT decisions to be based on > both IP addresses and ports but the use of ports seems to be causing issues > here. Can any enlighten me as to why this isn't working with TCP ports > defined in the ACL? > > Thanks > Ben > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
