Hi Mike,
See the answer below from the DSG. It's states use global ACL's, implies
more than one ACL.
Task 12: Manual static identity NAT on ASA-3
* Create a loopback on R2 with an IP address of 222.222.222.222/32.
Configure static identity NAT such that only outside users can ping that IP
address. Use global ACLs to allow access.
* Advertise the new loopback into RIPv2 on R2 and create appropriate
static routes on R4 and R5.
Task-12:Solutions
Step 1: Configure Loopback on R2 and advertise into RIP.
int lo222
ip add 222.222.222.222 255.255.255.255
router rip
network 222.222.222.0
Step 2: Configure Static routes on R4 and R5.
R5
ip route 222.222.222.222 255.255.255.255 100.100.35.105
R4
ip route 222.222.222.222 255.255.255.255 200.100.34.104
Step 3: Configure objects on ASA3
object network R2_Loop222
host 222.222.222.222
Step 4: Configure Manual identity NAT on ASA3
nat (dmz1,outside-1) source static R2_Loop222 R2_Loop222
nat (dmz1,outside-2) source static R2_Loop222 R2_Loop222
Step 5: Configure global ACL's
access-list GLOBAL permit ip any object R2_Loop222
access-list GLOBAL permit ip object R2_Loop222 any
Verification
Step 1: Verify Manual NAT entries (Section-1). Entry 5 and 6 of section 1.
Manual NAT Policies (Section 1)
<SNIP>
5 (dmz1) to (Outside-1) source static R2_Loop222 R2_Loop222
translate_hits = 0, untranslate_hits = 0
Source - Origin: 222.222.222.222/32, Translated: 222.222.222.222/32
6 (dmz1) to (Outside-2) source static R2_Loop222 R2_Loop222
translate_hits = 0, untranslate_hits = 0
Source - Origin: 222.222.222.222/32, Translated: 222.222.222.222/32
<SNIP>
Step 2: Telnet from Lo222 to R4 and R5 and perform basic ping tests.
R2#telnet 45.45.45.4 /source-interface lo222
Trying 45.45.45.4 ... Open
R4#sh users
Line User Host(s) Idle Location
0 con 0 idle 00:04:58
*514 vty 0 idle 00:00:00 222.222.222.222
Interface User Mode Idle Peer Address
R4#exit
[Connection to 45.45.45.4 closed by foreign host]
R2#ping 4.4.4.4 so lo 222
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds:
Packet sent with a source address of 222.222.222.222
!!!!!
R2#ping 45.45.45.5 so lo 222
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 45.45.45.5, timeout is 2 seconds:
Packet sent with a source address of 222.222.222.222
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
R2#telnet 100.100.35.5 /source-interface lo222
Trying 100.100.35.5 ... Open
R5#show users
Line User Host(s) Idle Location
0 con 0 idle 00:04:00
*514 vty 0 idle 00:00:00 222.222.222.222
Interface User Mode Idle Peer Address
R5#ping 222.222.222.222
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 222.222.222.222, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R5#exit
[Connection to 100.100.35.5 closed by foreign host]
R2#
From: [email protected]
[mailto:[email protected]] On Behalf Of Mike Rojas
Sent: Friday, April 26, 2013 7:27 AM
To: [email protected]
Subject: [OSL | CCIE_Security] Workbook1 Task 12
Hi,
This task says that you need to allow the traffic from the outside to the
loopback 222.222.222.222/32 on R2. The problem comes when it says that I
need to allow this using the Global ACL. There was already a Global ACL
configured but also, there are 2 access list on ASA3 used to allow traffic
inbound from outside at a previous task.
The problem is that even if I allow that traffic on the global ACL, it is
not going to work, as the interface ACL is processed first than the Global
ACL.
Is there something that I am doing wrong?
Another question that comes up is that, for every object that needed to 2
NATs for both outside interfaces, I created the Object and then another
object with the same host and created the NAT there. Just checking if that
is correct.
Finally, on a task I read, you can re-used the object for the Access
list....well, I reused every Object that I could :P so I dont know if
previous that task, I needed to create a new object for the ACLs.
Mike.
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com
