Hi Guys,
I'm a bit confused as it seems to me you are agreeing with each other but
yet saying different things. Kings says matching on protocol can't be done
with static policy NAT and Bruno seems to say it can.
I now with some other forms of policy NAT if I try and use an ACL with
ports defined I get an error message that a port based ACL can't be used. I
don't get that error when I use an ACL with ports with static NAT and when
I check the NAT configuration between interfaces as shown below the
particular configuration seems to be applied just as I want it to be
ASA1/c1(config)# access-list acl1 extended permit tcp host 10.1.1.1 host
10.4.4.4 eq telnet
ASA1/c1(config)# static (inside,outside) 192.168.6.61 access-list acl1
ASA1/c1# show nat inside outside
match tcp inside host 10.1.1.1 outside host 10.4.4.4 eq 23
static translation to 192.168.6.61/50961
translate_hits = 0, untranslate_hits = 0
So according to the output above the command did 'take' and traffic from
10.1.1.1 to 10.4.4.4:23 is being SNAT'd to 192.168.6.61. Now I'll agree
that I did not see the firewall operating in this way and the NAT operation
did not seem to actually work but why would it 1) accept my static command
with a port based ACL if it couldn't (especially when in other NAT
statements it will return an error) and 2) show entries in the "show nat
inside outside" command that seem to confirm that it will translate the
traffic I want it to?
Thanks
Ben
On Mon, Jul 2, 2012 at 9:31 PM, Bruno Silva <[email protected]> wrote:
> What Kings is saying is correct, you can only use an access-list matching
> TCP when you are going to match the protocol on the static translation.
>
>
> 2012/7/2 Kingsley Charles <[email protected]>
>
>> The following is incorrect. With static policy rule, you can't use
>> destination port numbers. You can do it only with policy nat (nat/global
>> commands)
>>
>>
>> access-list acl1 extended permit tcp host 10.1.1.1 host 10.4.4.4 eq telnet
>> static (inside,outside) 192.168.6.61 acl1
>>
>>
>> With regards
>> Kings
>>
>> On Mon, Jul 2, 2012 at 2:28 PM, Ben Shaw <[email protected]> wrote:
>>
>>> Hi All
>>>
>>> one of the requirements in Yusuf's second Lab is to source NAT the
>>> address 10.1.1.1 to 192.168.6.61 for telnet connections to 10.4.4.4. To do
>>> so I configured the following
>>>
>>> access-list acl1 extended permit tcp host 10.1.1.1 host 10.4.4.4 eq
>>> telnet
>>> static (inside,outside) 192.168.6.61 acl1
>>>
>>> However this did not translate the source address and the connection was
>>> allowed to pass to 10.4.4.4 using the untranslated source address of
>>> 10.4.4.4. I performed a packet tracer and got the following output:
>>>
>>>
>>> ASA1/c1# packet-tracer input inside tcp 10.1.1.1 50000 10.4.4.4 telnet
>>> <snip>
>>> Phase: 9
>>> Type: NAT
>>> Subtype: host-limits
>>> Result: ALLOW
>>> Config:
>>> static (inside,outside) 192.168.6.61 access-list acl1
>>> match tcp inside host 10.1.1.1 outside host 10.4.4.4 eq 23
>>> static translation to 192.168.6.61/33135
>>> translate_hits = 0, untranslate_hits = 0
>>> Additional Information:
>>> <snip>
>>> Result:
>>> input-interface: inside
>>> input-status: up
>>> input-line-status: up
>>> output-interface: outside
>>> output-status: up
>>> output-line-status: up
>>> Action: allow
>>> ASA1/c1#
>>>
>>>
>>> From this output it looks as though the translation will work as
>>> desired but when I try actually perform the connection I get the following:
>>>
>>>
>>> R1#show ip interface brief | i Loopback0
>>> Loopback0 10.1.1.1 YES NVRAM
>>> up up
>>> R1#telnet 10.4.4.4 /source-interface loopback 0
>>> Trying 10.4.4.4 ... Open
>>> User Access Verification
>>> Password:
>>> R4>who
>>> Line User Host(s) Idle Location
>>> 0 con 0 idle 01:17:56
>>> * 98 vty 0 idle 00:00:00 10.1.1.1
>>> Interface User Mode Idle Peer Address
>>> R4>
>>>
>>>
>>> However, when I change the ACL and match just the IP address like this
>>>
>>>
>>> access-list acl2 extended permit ip host 10.1.1.1 host 10.4.4.4 log
>>> static (inside,outside) 192.168.6.61 access-list acl2
>>>
>>>
>>> everything seems to work fine as show below:
>>>
>>>
>>> R1#telnet 10.4.4.4 /source-interface loopback 0
>>> Trying 10.4.4.4 ... Open
>>> User Access Verification
>>> Password:
>>> R4>who
>>> Line User Host(s) Idle Location
>>> 0 con 0 idle 01:21:44
>>> * 98 vty 0 idle 00:00:00 192.168.6.61
>>> Interface User Mode Idle Peer Address
>>> R4>
>>>
>>>
>>> I was quite certain that policy NAT allows NAT decisions to be based on
>>> both IP addresses and ports but the use of ports seems to be causing issues
>>> here. Can any enlighten me as to why this isn't working with TCP ports
>>> defined in the ACL?
>>>
>>> Thanks
>>> Ben
>>>
>>> _______________________________________________
>>> For more information regarding industry leading CCIE Lab training,
>>> please visit www.ipexpert.com
>>>
>>> Are you a CCNP or CCIE and looking for a job? Check out
>>> www.PlatinumPlacement.com
>>>
>>
>>
>> _______________________________________________
>> For more information regarding industry leading CCIE Lab training, please
>> visit www.ipexpert.com
>>
>> Are you a CCNP or CCIE and looking for a job? Check out
>> www.PlatinumPlacement.com
>>
>
>
>
> --
> Bruno Silva
> Network Consultant
> Cisco CCNA/CCDA/CCNP/CCDP/CCSP Certified
> Arcsight Professional Certified - ACIA/ACSA
>
>
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com
